GetClientIP() Lies.....sometimes.

Table of Contents

The Problem

During a recent conversation on the #sndevs slack, jarodm pointed out an issue with getClientIP() that I was not aware of. The IP Address does not change after the initial session is established.

Why is this important? Suppose you have an ACL on a field leveraging this code. I connect to ServiceNow while on VPN, then disconnect and connect to some random open wifi. Because my original IP was on the corporate network, all ACL checks still pass.

See the below example:

ON VPN: getClientIP: 199.247.xxx.xxx
OFF VPN: getClientIP: 199.247.xxx.xxx

The Fix

GlideTransaction.get().getRemoteAddr()

This API call will get the IP address of the current transaction. The only caveat is this is not available in scope, a script include needs to be created in global for scoped access. The below example shows that the IP does indeed change when using the GlideTransaction API.

ON VPN: GlideTransaction: 199.247.xxx.xxx
OFF VPN: GlideTransaction: 74.136.xxx.xxx

Reference

• https://hi.service-now.com/kb_view.do?sysparm_article=KB0861180
• https://hi.service-now.com/kb_view.do?sysparm_article=KB0716317
• https://sndevs.slack.com/archives/C0E2G2681/p1605283378242800

Related Posts

• Variable Helper
• How to create Discovery Pattern extensions and why to use them
• Parse Email Flow Action