Enable script sandbox [Updated in Security Center 1.3]

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read

    • Use the glide.script.use.sandbox property to enable script sandboxing.

    Prevent unauthorized or unauthenticated users from executing privileged script on your instance by enabling the script sandbox feature. The script sandbox is used to execute client-generated scripts, such as query conditions and GlideAjax expressions, in a "sandbox" environment that has restricted rights.

    Without the script sandbox, unauthorized/unauthenticated users can execute privileged script on an instance. This can impact security across all areas, including, but not limited to potentially malicious access to all data on the instance.

    Enable the script sandbox feature on your instance by setting the glide.script.use.sandbox system property to true.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.
    There are two cases in the ServiceNow AI Platform that enable the client to send scripts to the server for evaluation:
    Filters or queries
    It is legal to send a filter to the server such as assigned_to=JavaScript:getMyGroups().
    System API
    API call enables the client to run arbitrary scripts on the server and receive a response.
    If you enable the script sandbox, the script being evaluated at either of these two entry points runs in a sandbox with reduced rights, with the following characteristics:
    • Only those business rules marked Client callable are available within the sandbox.
    • Only script includes marked Sandbox enabled are available within the sandbox.
    • Certain API calls (largely, but not entirely, limited to ones dealing with direct DB access are not allowed.)
    • You can't insert, update, or delete data from within the sandbox. For example, any calls to current.update(), are ignored. If you run the ServiceNow AI Platform without enabling script sandboxing, none of these restrictions apply.
    Note:
    Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Yokohama release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.

    More information

    Attribute Description
    Property name glide.script.use.sandbox
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose Enforces validation for the client-side JavaScript queries that are launched against the platform
    Recommended value true
    Default value true
    Security risk rating 10
    Functional impact This remediation enforces validation for the client-side JavaScript queries that are launched against the ServiceNow AI Platform. There is a potential impact if customer has customizations that include hard-coded JavaScript queries to perform CRUD operations.
    Security risk (Critical) The ServiceNow AI Platform provides wide variety of features and functionality through JavaScript queries. However, without appropriate authorization and validation, there is a potential for an attacker to perform unauthorized operations against the platform.
    References Configuring Script sandbox property
    glide.script.use.sandbox belongs to the same family of properties that secure and restrict execution of scripts originating from the client:

    To learn more about adding or creating a system property, see Add a system property.