Firebase Storage Security Rules

Question

I am using fire base storage for my application which connects to front end. My current storage rules for only of the bucket folders is :

match {groupID}/{userId}/{image} {
        allow read: if isValidProvider() && request.auth.token.groupId == groupID && request.auth.uid == userId;
        allow write: if isValidProvider() && request.auth.uid == userId &&  request.auth.token.groupId== groupID && isImageValid() && isValidImageExtension(image);
      }
    }

Functions are as below :

function isImageValid(){
    return (request.resource.contentType.matches('image/png') ||
        request.resource.contentType.matches('image/jpg') ||
        request.resource.contentType.matches('image/jpeg') ||
        request.resource.contentType.matches('image/webp') ||
          request.resource.contentType.matches('image/gif'));
        
  }



  function isValidImageExtension(image) {
  return (image.matches('.*[.]png') || 
      image.matches('.*[.]jpeg') ||
      image.matches('.*[.]jpg') ||
      image.matches('.*[.]webp')||
      image.matches('.*[.]gif'));
  }

My intention is the read access is given on groupID basis and write access is given on user ID basis. Also, in the folder - it should only accept images with formats - png/jpeg/jpg/webp/gif

However, while trying to test this via postman - I am able to add a ndjson file or .py file. For Example - The API call ends with - test.jpg but in the body - binary I am adding a .py file. Also, in the storage the .py is saved as type - image/jpg.

This is being added to the storage.

How can I restrict only image files be added from backend ?

Best way to achieve this would be a backend side file type validation before you put the file in the firebase storage. Why do you want firebase rules to handle this? — Lukas
we have been planning to use backend side file validation - but wanted to understand if the same can be achieved via rules. That would be a quick fix. Otherwise, backend validation would be a lot of architecture change. — umang kaul
Hi @FrankvanPuffelen My API Call is something like - https://$API_URL2%2Ftest.jpg And then in body - I go to binary and add .py file. It gives me success response 200 OK. Also, the same py file is added in my bucket. Which I ideally expect to be blocked by rules. Because of the contentType Validation. — umang kaul

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2020-09-17T20:22:45

The documentation on uploading files is clearest on how contentType is determined:

The putFile() method automatically infers the MIME type from the File extension, but you can override the auto-detected type by specifying contentType in the metadata. If you do not provide a contentType and Cloud Storage cannot infer a default from the file extension, Cloud Storage uses application/octet-stream.

So Firebase does not look at the actual contents of the file to set determine the content type.

Instead the content type is derived from the filename extension, and you can override that by explicitly setting the content type in the metadata when you upload the file.

Since you don't set metadata, the content type is determined from the .jpg extension in the file name. The Python contents are not used in determining that.

If you want a stricter check on content type, consider running a Cloud Function that is triggered on an upload and use a file type sniffer that looks at the actual contents of the file to validate the type. You could then either remove the file if its contents don't match its type, or for example add a verified property to the metadata that you can then check in clients.

Firebase Storage Security Rules

2 Answers