Firebase Your Cloud Firestore database has insecure rules for basic Security Rules

2
votes

Recently I've received bunch of Firebase notifications regarding:

[Firebase] Your Cloud Firestore database has insecure rules

We've detected the following issue(s) with your security rules:any user can write to your entire database. Because your project does not have strong security rules, anyone can access your entire database. Attackers can steal, modify, or delete your data, and they can drive up your bill.`

Edit2: What I need, is to allow write for everyone without any need to sign in, but only the admin account should be able to read it from Firebase console.

Realtime Database rules:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

Cloud Firestore rules:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow write;
    }
  }
}

Edit: One of the Databases structure in JSON, others looks similar:

{
  "battles" : {
    "-KjiAFLI8oE_12345678" : {
      "full" : true,
      "player1" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      },
      "player2" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      }
    },
    "-KjiAMVvJydR12345678" : {
      "full" : true,
      "player1" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      },
      "player2" : {
        "movement" : {
          "down" : false,
          "left" : false,
          "right" : false,
          "up" : false
        },
        "position" : {
          "x" : 0,
          "y" : 0
        }
      }
    }
  }
}

Edit3: In contrast to the Firebaser's answer to Firebase email saying my realtime database has insecure rules I don't want to/use Firebase Authentication/SSO.

Given these scenario do I have to/shall I modify them somehow?

2
firebasefirebase-realtime-databasegoogle-cloud-firestorefirebase-security
I think it's a bit beyond the scope of Stack Overflow for us to translate your list of use-cases to working code/rules. The email should contain a link to this documentation about how to get started with security rules: firebase.google.com/docs/rules/get-started If you get stuck on a specific rule, I recommend posting details about that specific rule.Frank van Puffelen
Disagree. All use cases are related to writing to a database without the need to have any privileges. There are many projects with such a case, and people are confused. PS. Please don't remove my code snippets, I also wanted to showcase security rules to my Realtime Database. In both cases the logic is the same.Daniel Danielecki
will you please share your firestore database structure?Mehran B
@MehranB of course, edited.Daniel Danielecki
It’s a good idea to include code and structures as text, not links and images. That way, if they are needed in an answer, they can be copied and pasted. To get your Firebase structure, use the Firebase console->Export JSON and copy and paste a snippet of your structure. See images and links are evil.Jay

2 Answers

2
votes

I can think of two solutions without risking compromising security (to some extent):

  1. You can use Authentication for users and only allow read or write access to authenticated users. (Which I understand is a hassle specially when coding a game.) like so:
match /databases/{database}/documents {
    match /{document=**} {
      allow write: if request.auth != null;
    }
  }
}
  1. You can use some sort of 10-char sequence for example combined with the document names in your database (for example, "Users-xQnFiECweq") and then edit your security rules accordingly.

for example:

match /Users-xQnFiECweq {
    match /Courses-QrmGvMgF9C {
        match /{multiSegment=**}{
            allow write;
        }   
    }
}

the string values at the end of document or collection names kind of act as passwords that only you know and it makes it difficult for another person to guess the exact structure to your database.

I understand it's a bit of a strange approach but it's better than giving write access to just everyone.

2
votes

I get these emails, but there's nothing that can be done to fix mine, because that's just the way my system works.

In your case, the reason is:

allow write;

in your Cloud Firestore rules. This means anyone can access the database from anywhere.

Thus,

Attackers can steal, modify, or delete your data, and they can drive up your bill.

Change this rule to only allow authenticated access, and the alert should stop. Luka S.