Configuring Script sandbox property

  • Release version: Xanadu
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring Script Sandbox Property

    The script sandbox property (glide.script.use.sandbox) enables the execution of client-generated scripts within a restricted environment, enhancing security by limiting access to system resources. This property is enabled by default when the High Security Settings plugin is activated and should not be enabled outside of this context.

    Show full answer Show less

    Key Features

    • Client-generated scripts run in a reduced-rights sandbox.
    • Only business rules marked as Client callable and script includes marked as Sandbox enabled are accessible.
    • Certain API calls related to direct database access are disallowed, including data manipulation methods like insert, update, and delete.
    • Starting with the Xanadu release, script includes previously marked as Client callable are no longer accessible unless marked as Sandbox enabled.

    Key Outcomes

    By utilizing the script sandbox property, ServiceNow customers can ensure that client-generated scripts operate securely without compromising the integrity of their system. This reduces the risk of unauthorized data manipulation and enhances overall system security. Customers should be aware of restricted methods when using the sandbox to avoid errors in their scripts.

    Enable the script sandbox property (glide.script.use.sandbox) to run client-generated scripts inside a sandbox that has restricted rights.

    Note:
    This property is enabled by default when you activate the High Security Settings plugin. Don’t enable this property outside of the plugin.

    There are two cases within the system that allow the client to send scripts to the server for evaluation.

    • Filters or queries: It’s legal to send a filter to the server such as: assigned_to=javascript:getMyGroups().
    • System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.
    If you enable the script sandbox property (glide.script.use.sandbox), the script being evaluated via either of these two entry points runs within a reduced-rights sandbox with the following characteristics:
    • Only those business rules marked Client callable are available within the sandbox.
    • Only script includes marked Sandbox enabled are available within the sandbox.
    • Certain API calls (largely but not entirely limited to those dealing with direct DB access) aren’t allowed.
    • Data can’t be inserted, updated, or deleted from within the sandbox. Any calls to current.update(), for example, are ignored.
    Note:
    Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Xanadu release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.
    Property Description
    glide.script.use.sandbox Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights "sandbox."

    If true, only those business rules with the Client callable option selected and script includes with the Sandbox enabled option selected are available and certain back-end API calls are disallowed.

    Restricted methods with sandbox enabled

    These methods aren’t supported in client-generated scripts when script sandboxing is enabled.

    Note:
    The GlideSystem (gs) methods log(), logError(), and logWarning() can be enabled with script sandboxing by setting the glide.security.sandbox_no_logging system property to false.

    If you run the system without script sandboxing enabled, then none of these restrictions apply.

    Table 1. Restricted methods
    Class Method
    GlideRecord
    • deleteMultiple()
    • deleteRecord()
    • getRowCount()
    • insert()
    • update()
    • updateMultiple()
    GlideSystem (gs)
    • addErrorMessage()
    • addInfoMessage()
    • addMessage()
    • eventQueue()
    • flushMessages()
    • getEscapedProperty()
    • getProperty()
    • log()
    • logError()
    • logWarning()
    • setProperty()
    • setRedirect()
    • setReturn()
    • workflowFlush()
    ScopedGlideRecord
    • deleteMultiple()
    • deleteRecord()
    • insert()
    • update()
    • updateMultiple()
    ScopedGlideSystem (gs)
    • addErrorMessage()
    • addInfoMessage()
    • debug()
    • eventQueue()
    • executeNow()
    • getProperty()
    • getSessionToken()
    • info()
    • setRedirect()
    GlideDate

    GlideDateTime

    GlideTime
    • add()
    • addDays()
    • addDaysLocalTime()
    • addDaysUTC()
    • addMonthsLocalTime()
    • addMonths()
    • addSeconds()
    • addWeeks()
    • addYears()
    • compareTo()
    • getByFormat()
    • getDate()
    • getDayOfWeek()
    • getDayOfWeekUTC
    • getDayOfWeekLocalTime()
    • getDayOfMonth()
    • getDayOfMonthLocalTime()
    • getDayOfMonthNoTZ()
    • getDayOfWeek()
    • getDayOfWeekLocalTime()
    • getDayOfWeekUTC()
    • getHourOfDayLocalTime()
    • getHourOfDayUTC()
    • getDaysInMonth()
    • getDaysInMonthUTC()
    • getDaysInMonthLocalTime()
    • getDisplayValueInternal()
    • getDisplayValue()
    • getHourLocalTime()
    • getLocalDate()
    • getLocalTime()
    • getMinutesLocalTime()
    • getMinutesUTC()
    • getMonthLocalTime()
    • getMonthNoTZ()
    • getMonthUTC()
    • getNumericValue()
    • getSeconds()
    • getTime()
    • getTZOffset()
    • getValue()
    • getYear()
    • getUserTimeZone()
    • getWeekOfYearLocalTime()
    • getWeekOfYearUTC()
    • getYearUTC()
    • getYearLocalTime()
    • isDST()
    • onOrAfter()
    • onOrBefore()
    • setDayOfMonthUTC()
    • setDisplayValue()
    • setMonth()
    • setNumericValue()
    • setTZ()
    • setValue()
    • setValueUTC()
    • subtract()
    • toString()
    GlideSchedule
    • add()
    • isInSchedule()
    • Load()
    • whenNext()