What is the importance of Sandbox Scripting?
Sandbox scripting involves running scripts in a secure and isolated environment called a "sandbox". The sandbox provides a controlled area where scripts can execute with limited access to system resources and sensitive operations. Its purpose is to enhance security by preventing potential damage that scripts might cause if executed in a fully privileged environment.
In ServiceNow, the sandbox could be a dedicated Quality Assurance (QA) instance where access is restricted for security and quality assurance purposes. Enabling script sandboxing is a feature that helps secure and control the execution of client-side scripts on the server.
Therefore, when the glide.script.use.sandbox is enabled, it limits the running of client-originating scripts in two situations:
Filters and queries: Clients can send filters for evaluation on the server.
System API: Clients can use the AJAXEvaluate API call to run custom scripts on the server and get a response.
It is important to notice that these two situations will run in a restricted environment, meaning that client scripts and business rules will only work if marked as client callable. API calls will be limited when dealing with Database access. Lastly, to protect the sandbox instance, you won't be able to insert, update, or delete data.
If you run the system without script sandboxing enabled, none of these restrictions will apply.
Why is this an issue?
An instance without the glide.script.use.sandbox property enabled can lead to the following issues:
Data manipulation: It would be possible to manipulate data, such as inserting, updating, or deleting data, that could cause integrity issues and compromise the sandbox.
Unauthorized Access: It would be possible to exploit unrestricted scripts and gain unauthorized access to parts of the system or sensitive information, bypassing security measures.
How do I fix it?
The glide.script.use.sandbox is activated by default on new instances. ServiceNow warns not to activate this property outside the plugin. Once this property is active, you will not be able to change deactivate it. To comply with this warning, follow these procedures with the security_admin role:
In the Filter Navigator, go to High Security Settings.
Search for the option:
Run client generated scripts (AJAXEvaluate and query conditions) inside of a reduced rights "sandbox". If enabled, only those business rules and script includes with the "Client callable" checkbox set to true are available and certain back-end API calls are disallowed.Check the box to Yes and Save.