This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Client Generated Scripts Sandbox.
When set to true, the glide.script.use.sandbox property enables script sandboxing. This property belongs to the same family of 2.8 (glide.script.allow.ajaxevaluate) and 3.9 (glide.script.secure.ajaxgliderecord) that secures and restricts execution of scripts originating from the client.
There are two cases within the system that allow the client to send scripts to the server for evaluation:
- Filters and/or queries: It is legal to send a filter to the server such as assigned_to=javascript:getMyGroups()
- System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response
If you enable script sandboxing, the script being evaluated at either of these two entry points runs within a reduced rights sandbox with the following characteristics:
- Only those business rules marked client callable are available within the sandbox
- Only script includes marked client callable are available within the sandbox
- Certain API calls (largely, but not entirely, limited to those dealing with direct DB access) are not allowed
- Data cannot be inserted, updated, or deleted from within the sandbox – any calls to current.update(), for example, are ignored
If you run the system without script sandboxing enabled, none of these restrictions apply.
| Client Generated Scripts Sandbox | |
|---|---|
| Property Name | glide.script.use.sandbox |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | Enforces validation for the client-side JavaScript queries that are launched against the platform |
| Requirement | Mandatory |
| Recommended Value | True |
| Default Behavior | Set to true |
| Revertible behavior | Once changed, it cannot be reverted back |
| Role required | Security_admin |
| Release Version | Fall 2009 |
| Functional Impact | (High) This remediation enforce validation for the client-side javascript queries that are launched against the platform. There is a potential impact if customer has customizations that include hard coded JS queries to perform CRUD operations. |
| Security Risk | (High) The ServiceNow platform provides wide variety of features and functionality through Javascript queries. However, without appropriate authorization and validation, there is a potential for an attacker to perform unauthorized operations against the platform. |
| Workaround | No other workaround available. |
| References | r_ScriptSandboxing |
