Is my Firebase Cloud Firestore database secure or vulnerable?

1
votes

I need help determining if my Firebase Cloud Firestore setup is secure or vulnerable to hacks.

In the database I have a single collection called userids which contains many documents. Each document contains data pertaining to the user whose userid is the name of the document. An example of this is:

userids (collection)
    123456 (document)
        field1: "..."
        field2: "..."
        field3: "..."
    777777 (document)
        field1: "..."
        field2: "..."
        field3: "..."
    999999 (document)
        field1: "..."
        field2: "..."
        field3: "..."

The functionality I need to have is then as follows:

• Given a userid such as userid=123456 a client or server must be able to read and write data only to the document with name equal to 123456 (the client/server cannot read or write data to the documents with names 777777 or 999999).

• Under no circumstance can anyone access a list of Documents which exist in the database, or the names of any of these Documents.

The security rules I have to enforce this behaviour is currently:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write;
    }
  }
}

Now, let's say that all of the userids in the database are actually SHA256 hash values which uniquely represent each user. Assuming that this SHA256 hash was known only by the user, would this setup be secure since to read/write from a document you would need the to know the users hash? Is there any way that someone could find out the names of all of Documents in the database?

1
firebasehashgoogle-cloud-firestorefirebase-security
Reasking on security.stackexchange.com seams better suited.. Also without knowing the application code we can't tell, as security is as strong as the weaked link so If the signin is leak or using unsafe session management the whole system after is simply leak .. - Raymond Nijland

1 Answers

1
votes

With your current rules anyone can ready anything from the database. They can not only get each individual document, but (as far as I can see) they can also list all documents once they know the collection they're in. Since userids is not that hard to guess, I'd say you're quite open to abuse here.

More secure would be to only allow them to get a document once they know its full path/ID, and not allow them to list the documents in a collection. You can do this by using the more granular rules of Firestore, breaking up read into list and get.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow get;
    }
  }
}

This allows them to get a document if they know its complete path, but not get a list of all documents.