XMLdoc2 entity validation with allow list (instance security hardening)
Use a property to enable processing, using XMLDocument2, of external entities that are inclusion listed.
Prerequisites
Before setting this property:
- Set the glide.xml.entity.whitelist.enabled property to true. To learn more, see XMLdoc/XMLUtil entity validation with allow list.
- Define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using XML Entity processing. property. To learn more, see XML external entity processing - allow list.
More information
| Attribute | Description |
|---|---|
| Property name | glide.stax.whitelist_enabled |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | This remediation control must be enabled to defend against XML External Entity attacks. |
| Recommended value | true |
| Functional Impact | If the customization is using an external entity that is not inclusion listed, the ServiceNow AI Platform might block further processing. To learn more, see XML external entity processing - allow list. |
| Security risk | (High) An attacker can use the DTD may include arbitrary HTTP requests that the server may execute. Using the server's trust relationship with other entities, it could lead to other attacks. |
To learn more about adding or creating a system property, see Add a system property.