// docs / baas security / firebase rules scanner
Firebase rules scanner: kune na Firestore, Realtime Database, kei na Storage rules sa dola
Na Firebase apps era cala ena security ena dua ga na sala: <code>allow read, write: if true;</code> rules sa biu mai na test-mode quickstart, sega ni veisautaki ni bera na production. Na AI coding tools era cakava na rules oqo verbatim mai na documentation examples ka levu na gauna era sega ni kerea na developer me harden. Na itukutuku oqo e vakaraitaka na sala e raica kina e dua na Firebase rules scanner na open rules ena Firestore, Realtime Database, kei na Cloud Storage mai tuba ni project โ kei na sala e fix kina na ka e kunei.
Na sala e kunei kina na open Firebase rules ena scanner
Na Firebase services era expose mata ni URL e well-known ka predictable. E dua na scanner sega ni dua na credentials e rawa ni probe na yadua ka raica ke yaco na anonymous reads. Na FixVibe baas.firebase-rules check e cici ena tolu na independent probes โ dua ena Firebase service yadua:
- <strong>Firestore.</strong> The scanner extracts the project ID from the deployed app's bundle (it's in <code>firebase.initializeApp({ projectId: ... })</code>), then issues <code>GET https://firestore.googleapis.com/v1/projects/[project-id]/databases/(default)/documents/[collection]:listDocuments</code> against common collection names. A <code>200 OK</code> with documents in the response means <code>allow read</code> is permissive.
- Realtime Database. Na scanner e probe na
https://[project-id]-default-rtdb.firebaseio.com/.json. Ke wilika rawa na root vakaivakatakilakila, na response e na database tree taucoko vaka JSON. E dua na test rauti โ query na.json?shallow=true, e tukuna mai na top-level keys ga โ finding ena rua na sala. - Cloud Storage. Na scanner e query
https://firebasestorage.googleapis.com/v0/b/[project-id].appspot.com/o. Ke listdraw na response na file names sega na authentication, sa anon-listable na bucket. Na listable storage e dua na finding ke mada ga sa denied na individual file downloads โ na attackers era enumerate na bucket me kune na guessable filenames.
Na ka dina e tu na test-mode footgun
Na Firebase's quickstart documentation e vakacurumi e dua na rule block era dau copy ena internet:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}Na Firebase e dau cakava e dua na automatic 30-day expiry ena rules oqo. Sa veisau: ena gauna oqo na rules e tudei ke sega ni veisautaka na developer. Na AI coding tools โ sa vakavulici ena yabaki ni documentation kei na test-mode block โ era dau cakava verbatim ka tukuna ki na developer "oqo nomu security rule." Sega ga.
Na tale na variants era basika ena production ia era tautauvata na permissive:
// future-date variant โ equivalent to "if true" allow read, write: if request.time < timestamp.date(2099, 1, 1); // authenticated-user variant โ any signed-in user reads and writes anything allow read: if true; allow write: if request.auth != null; // any-auth variant โ any signed-in user owns every document allow read, write: if request.auth != null;
- Dua na future-timestamp variant: e dua na rule e vakadonuya na ka kece me yacova e dua na siga mai liu. E sega vakaduadua ni mudu (raica na block highlighted ena cake).
allow read: if true; allow write: if request.auth != null;โ public reads, na authenticated user kece e rawa ni vola.allow read, write: if request.auth != null;โ na user kece sa signed-in e rawa ni wilika se vola na document kece, kei na nodra data na tale na user.
Na cava mo cakava ni kune e dua na open rule na scanner
Na open Firebase rules e dua na runtime emergency. Na fix e tautauvata na shape ena tolu na services: scope na rule yadua ki na request.auth.uid kei na explicit owner field. Na service yadua kei na nona rule syntax:
Firestore
match /users/{userId} { allow read, write: if request.auth != null && request.auth.uid == userId; }. Na path-segment binding {userId} e yaco me dua ga na document e rawa ni tara na user.
match /users/{userId} {
allow read, write: if request.auth != null
&& request.auth.uid == userId;
}Realtime Database
<code>{ "rules": { "users": { "$uid": { ".read": "$uid === auth.uid", ".write": "$uid === auth.uid" } } } }</code>. The <code>$uid</code> wildcard captures the path segment for comparison.
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}Cloud Storage
service firebase.storage { match /b/{bucket}/o { match /users/{userId}/{allPaths=**} { allow read, write: if request.auth.uid == userId; } } }. Ivakarau: biuta na file ena ruku ni users/[uid]/[filename] ka vakavotuya ena path na taukei.
service firebase.storage {
match /b/{bucket}/o {
match /users/{userId}/{allPaths=**} {
allow read, write: if request.auth.uid == userId;
}
}
}Deploy na rules mai na Firebase CLI: firebase deploy --only firestore:rules, firebase deploy --only database, firebase deploy --only storage. Vakadinadinataka me tiko na rules vou ena production ni o re-run na FixVibe scan โ na baas.firebase-rules finding ena dredre.
firebase deploy --only firestore:rules
firebase deploy --only database
firebase deploy --only storageNa kena vakatauvatani kei na Firebase built-in tools
Na Firebase Console e vakaraitaka na rules tu ia e sega ni audit mai na runtime behaviour. Na Firebase Rules simulator e vakadonuya mo test na rule logic kei na synthetic requests โ yaga ia local. Na rua na tools era sega ni tukuni kina iko na ka era tukuna na nomu production rules ki na unauthenticated attacker ena public internet. Na external scanner me vaka na FixVibe (se na Burp Suite kei na manual configuration) e duabau ga e probe mai na angle vata kei na attacker. Na Google's own App Check e mitigate na abuse ia e sega ni substitute na correctly-scoped rules.
Na taro era dau tarogi
Ena wilika se veisautaka na scanner na noqu Firestore data?
Na passive scans era cakava ena vinakata duadua e dua ga na anonymous read ena service yadua me vakadinadinataki ke vakadonui na rules. Na scanner e record na response shape kei na tu ni data โ sega ni paginate, sega ni enumerate documents, sega ni vola. Na write probes era taqomaki ena verified domain ownership ka era sega ni cici ena targets sega ni verified.
Vakacava ke vakayagataka na noqu Firebase project na App Check?
Na App Check e reject na unauthenticated requests kei na 403. Na scanner sega na App Check token ena raica na 403 ena probe kece โ na outcome dodonu. Na App Check e sega ni substitute me rule correctness (e dua na App Check token sa kau kei na open rule e leak tikoga na data), ia e block na opportunistic external scans.
E rawa ni raica na scanner na partial rule misconfigurations (read open, write closed)?
Io โ na rule yadua (allow read, allow write) e probed vakaduidui. Na read-only probe e yaco kei na 200 OK e tukuna na open-read finding ke mada ga sa denied na writes. Na rua na findings era duidui: na data exfiltration kei na data manipulation era duidui na risks.
Ena cakacaka qo me Firebase apps deployed ena custom domain?
Io. Na scanner e extract na Firebase project ID mai na deployed bundle, sega na domain. Na custom domains, app.web.app subdomains, kei na self-hosted Firebase apps era cakacaka vata ke se reachable na JavaScript bundle.
Tikitiki tarava
Cakava e dua na FixVibe scan ena saumi ki na nomu production URL โ na baas.firebase-rules check e ship ena plan kece ka flag na open rules ena Firestore, Realtime Database, kei na Cloud Storage. Me dua na vakamacala vakavakauca ki na allow read, write: if true pattern, vakaraica Firebase allow read, write: if true explained. Me dua na rai vakatauvatani ena Supabase, Firebase, Clerk, kei na Auth0, wilika BaaS misconfiguration scanner.