Notifications

523 views

Description

ServiceNow occasionally performs health scans on user instances.  One practice that will be flagged as a security issue is when hardcoded Sys IDs from objects in the instance are used within scripts.  A workaround to this issue is to create system properties that contain the Sys IDs and then retrieve them from when needed.

Release or Environment

All

Resolution

Note that in the following script, the "encodedquery" string contains the sys_id's for a manufacturer, location and company.  This code would be flagged during a health scan as a security issue.  

var ciName = new GlideRecord('cmdb_ci');
var encodedquery = 'sys_class_name=cmdb_ci_computer^manufacturer=b7e9e843c0a80169009a5a485bb2a2b5^location=f90735e70a0a0b9100de208fbc63907d^company=31bea3d53790200044e0bfc8bcbe5dec';

ciName.addEncodedQuery(encodedquery);
ciName.query();

while (ciName.next()) {
gs.print('cmdb_ci.name ' + ciName.name);
}

This issue can be addressed by creating a system property record for each of these Sys IDs and retrieving these values with gs.getProperty().  In this example, the system properties, "acme_corp", "loc_santa_ana" and "acme_ne" were created with the following values:

acme_corp = b7e9e843c0a80169009a5a485bb2a2b5
location = f90735e70a0a0b9100de208fbc63907d
company = 31bea3d53790200044e0bfc8bcbe5dec

 

The script then was modified to retrieve these values and then incorporated into the encoded query string.

var acme_corp_SysID = gs.getProperty("acme_corp");
var location_SysID = gs.getProperty("loc_santa_ana");
var company_SysID = gs.getProperty("acme_ne");

var ciName = new GlideRecord('cmdb_ci');
var encodedquery = 'sys_class_name=cmdb_ci_computer^manufacturer=' + acme_corp_SysID.toString() +'^location=' + location_SysID.toString() + '^company=' + company_SysID.toString();

ciName.addEncodedQuery(encodedquery);
ciName.query();

while (ciName.next()) {
gs.print('cmdb_ci.name ' + ciName.name);
}

 

This information can also be found in an answered question by Chuck Tomasi in the Community.

https://community.servicenow.com/community?id=community_question&sys_id=0ed187a9db98dbc01dcaf3231f961934&view_source=searchResult. This does have the ServiceNow suggested method of resolving the issue of retrieving items from the sys_properties table using the getProperty method.

Article Information

Last Updated:2019-12-18 10:43:15
Published:2019-12-18