Enforce client generated scripts sandbox [Updated in Securty Center 1.3]

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Enforce client generated scripts sandbox

    Theglide.script.use.sandboxsystem property in ServiceNow enables sandboxing for client-generated scripts evaluated on the server, specifically within the ServiceNow AI Platform. This feature, introduced in the Xanadu release, restricts the execution environment for scripts sent from the client, enhancing security by limiting their capabilities and access rights.

    Show full answer Show less

    Once enabled, this property is a safe harbor setting, meaning its value cannot be changed or reverted, so careful consideration before enabling is essential.

    Key Features

    • Sandboxed scripts can only access business rules marked as Client callable and script includes marked as Sandbox enabled.
    • Certain API calls, especially those involving direct database access, are prohibited in the sandbox.
    • Scripts running in the sandbox cannot perform data modifications such as insert, update, or delete operations (e.g., current.update() calls are ignored).
    • In the Xanadu release, script includes previously marked as Glide AJAX enabled (formerly Client callable) are no longer accessible within the sandbox unless explicitly marked as Sandbox enabled.
    • When upgrading from Washington DC or earlier releases to Xanadu, script includes marked as Client callable are automatically marked as Sandbox enabled to maintain compatibility.

    Why It Matters

    Enabling script sandboxing significantly reduces security risks by preventing unauthorized or potentially harmful scripts from performing critical operations on the server. It enforces validation and sanitization of client-side JavaScript queries that interact with the ServiceNow AI Platform, which is crucial given the platform’s extensive use of JavaScript for functionality.

    Without sandboxing, scripts can execute with fewer restrictions, increasing the risk of unauthorized data manipulation or exposure.

    Practical Considerations

    • Before enabling the sandbox, review any customizations that rely on hard-coded JavaScript queries performing data operations, as these may be impacted.
    • The recommended and default value for glide.script.use.sandbox is true, reflecting best security practices.
    • This property belongs to a family of system properties that secure client-originated script execution, alongside glide.script.allow.ajaxevaluate and glide.script.secure.ajaxgliderecord.
    • To enable or modify this property, use System Properties within the ServiceNow platform.

    Use the glide.script.use.sandbox property to enable script sandboxing.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.
    There are two cases in the ServiceNow AI Platform that enable the client to send scripts to the server for evaluation:
    Filters or queries
    It is legal to send a filter to the server such as assigned_to=JavaScript:getMyGroups().
    System API
    API call enables the client to run arbitrary scripts on the server and receive a response.
    If you enable the script sandbox, the script being evaluated at either of these two entry points runs in a sandbox with reduced rights, with the following characteristics:
    • Only those business rules marked Client callable are available within the sandbox.
    • Only script includes marked Sandbox enabled are available within the sandbox.
    • Certain API calls (largely, but not entirely, limited to ones dealing with direct DB access are not allowed.)
    • You can't insert, update, or delete data from within the sandbox. For example, any calls to current.update(), are ignored. If you run the ServiceNow AI Platform without enabling script sandboxing, none of these restrictions apply.
    Note:
    Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Xanadu release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.

    More information

    Attribute Description
    Property name glide.script.use.sandbox
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose Enforces validation for the client-side JavaScript queries that are launched against the platform
    Recommended value true
    Default value true
    Security risk rating 9.8
    Functional impact This remediation enforces validation for the client-side JavaScript queries that are launched against the ServiceNow AI Platform. There is a potential impact if customer has customizations that include hard-coded JavaScript queries to perform CRUD operations.
    Security risk (Critical) The ServiceNow AI Platform provides wide variety of features and functionality through JavaScript queries. However, without appropriate authorization and validation, there is a potential for an attacker to perform unauthorized operations against the platform.
    References Configuring Script sandbox property
    glide.script.use.sandbox belongs to the same family of properties that secure and restrict execution of scripts originating from the client:
    • glide.script.allow.ajaxevaluate: See Enable AJAXEvaluate.
    • glide.script.secure.ajaxgliderecord: See .

    To learn more about adding or creating a system property, see Add a system property.