Enable script sandbox [Updated in Security Center 1.3]

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Enable script sandbox [Updated in Security Center 1.3]

    Thescript sandboxis a security feature in ServiceNow designed to restrict the execution of client-generated scripts on the server, such as query conditions and GlideAjax expressions. By enabling the script sandbox, you can prevent unauthorized or unauthenticated users from executing privileged scripts that could compromise your instance’s security and data integrity.

    Show full answer Show less

    This feature is controlled by the system property glide.script.use.sandbox, which once enabled, cannot be reverted. It is critical for protecting your instance from potentially malicious script execution.

    Key Features

    • Scripts sent from clients (like filters or queries) run in a restricted “sandbox” environment with limited privileges.
    • Only business rules marked Client callable and script includes marked Sandbox enabled are accessible within the sandbox.
    • Restricted API calls disallow direct database modifications such as insert, update, or delete operations—calls like current.update() are ignored.
    • Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (formerly Client callable) are no longer accessible inside the sandbox unless also marked Sandbox enabled.
    • During upgrade to Yokohama from Washington DC or earlier releases, script includes marked Client callable are automatically marked Sandbox enabled to maintain compatibility.

    Practical Impact for ServiceNow Customers

    • Security: Enables enforcement of validation for client-side JavaScript queries, significantly reducing the risk of unauthorized script execution and protecting all instance data.
    • Functionality: May impact customizations using hard-coded JavaScript queries that perform create, read, update, or delete (CRUD) operations, as such operations are blocked within the sandbox.
    • Configuration: Enable the script sandbox by setting glide.script.use.sandbox to true in System Properties under Validation, sanitization, and encoding category.
    • Irreversibility: Once enabled, the sandbox cannot be disabled on the instance, making it a permanent security enhancement.

    Related Security Settings

    • glide.script.allow.ajaxevaluate: Controls AJAX script evaluation permissions.
    • glide.script.secure.ajaxgliderecord: Enforces ACL checking on AJAX GlideRecord calls.

    Enabling the script sandbox is a critical security measure that helps you protect your ServiceNow instance from unauthorized script execution and limits the potential for malicious access or data manipulation.

    Use the glide.script.use.sandbox property to enable script sandboxing.

    Prevent unauthorized or unauthenticated users from executing privileged script on your instance by enabling the script sandbox feature. The script sandbox is used to execute client-generated scripts, such as query conditions and GlideAjax expressions, in a "sandbox" environment that has restricted rights.

    Without the script sandbox, unauthorized/unauthenticated users can execute privileged script on an instance. This can impact security across all areas, including, but not limited to potentially malicious access to all data on the instance.

    Enable the script sandbox feature on your instance by setting the glide.script.use.sandbox system property to true.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.
    There are two cases in the ServiceNow AI Platform that enable the client to send scripts to the server for evaluation:
    Filters or queries
    It is legal to send a filter to the server such as assigned_to=JavaScript:getMyGroups().
    System API
    API call enables the client to run arbitrary scripts on the server and receive a response.
    If you enable the script sandbox, the script being evaluated at either of these two entry points runs in a sandbox with reduced rights, with the following characteristics:
    • Only those business rules marked Client callable are available within the sandbox.
    • Only script includes marked Sandbox enabled are available within the sandbox.
    • Certain API calls (largely, but not entirely, limited to ones dealing with direct DB access are not allowed.)
    • You can't insert, update, or delete data from within the sandbox. For example, any calls to current.update(), are ignored. If you run the ServiceNow AI Platform without enabling script sandboxing, none of these restrictions apply.
    Note:
    Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Yokohama release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.

    More information

    Attribute Description
    Property name glide.script.use.sandbox
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose Enforces validation for the client-side JavaScript queries that are launched against the platform
    Recommended value true
    Default value true
    Security risk rating 10
    Functional impact This remediation enforces validation for the client-side JavaScript queries that are launched against the ServiceNow AI Platform. There is a potential impact if customer has customizations that include hard-coded JavaScript queries to perform CRUD operations.
    Security risk (Critical) The ServiceNow AI Platform provides wide variety of features and functionality through JavaScript queries. However, without appropriate authorization and validation, there is a potential for an attacker to perform unauthorized operations against the platform.
    References Configuring Script sandbox property
    glide.script.use.sandbox belongs to the same family of properties that secure and restrict execution of scripts originating from the client:

    To learn more about adding or creating a system property, see Add a system property.