Client generated scripts sandbox (instance security hardening)

Watch

Save as PDF

Share this page

Feedback

HomeVancouver Platform securityPlatform SecurityInstance Security CenterInstance Security Hardening SettingsInput validationClient generated scripts sandbox (instance security hardening)

Table of Contents

Client generated scripts sandbox (instance security hardening)

Release version:
Vancouver
Washington DC
UpdatedAug 3, 2023
2 minutes to read

Vancouver
Platform Security

The Vancouver release is no longer supported. As such, the product documentation and release notes are provided for informational purposes only, and will not be updated.

Use the glide.script.use.sandbox property to enable script sandboxing.

There are two cases in the Now Platform that enable the client to send scripts to the server for evaluation:

Filters or queries: It is legal to send a filter to the server such as assigned_to=JavaScript:getMyGroups().
System API: API call enables the client to run arbitrary scripts on the server and receive a response.

If you enable script sandboxing, the script being evaluated at either of these two entry points runs in a sandbox with reduced rights, with the following characteristics:

Only those business rules marked client callable are available within the sandbox.
Only script includes marked client callable are available within the sandbox.
Certain API calls (largely, but not entirely, limited to ones dealing with direct DB access are not allowed.
You can't insert, update, or delete data from within the sandbox. For example, any calls to current.update(), are ignored. If you run the Now Platform without enabling script sandboxing, none of these restrictions apply.

More information

Search:


Attribute	Description
Property name	glide.script.use.sandbox
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	Enforces validation for the client-side JavaScript queries that are launched against the platform
Recommended value	true
Functional Impact	This remediation enforces validation for the client-side JavaScript queries that are launched against the Now Platform. There is a potential impact if customer has customizations that include hard-coded JavaScript queries to perform CRUD operations.
Security risk	(High) The Now Platform provides wide variety of features and functionality through JavaScript queries. However, without appropriate authorization and validation, there is a potential for an attacker to perform unauthorized operations against the platform.
References	Configuring Script sandbox property glide.script.use.sandbox belongs to the same family of properties that secure and restrict execution of scripts originating from the client: glide.script.allow.ajaxevaluate: See Enable AJAXEvaluate. glide.script.secure.ajaxgliderecord: See Enabling AJAXGlideRecord ACL checking.

To learn more about adding or creating a system property, see Add a system property.

Vancouver Platform security

Filters

Versions

Products