// docs / baas security / firebase rules scanner
Na'urar bincike ta dokokin Firebase: nemo Firestore, Realtime Database, da dokokin Storage na bude
Manhajojin Firebase suna gaza tsaro a hanya ɗaya akai-akai: <code>allow read, write: if true;</code> dokokin da suka rage daga test-mode quickstart, ba a taɓa maye gurbinsu kafin samarwa ba. Kayan aikin coding na AI suna samar da waɗannan dokokin verbatim daga misalan takardun kuma da wuya su nemi mai haɓakawa ya ƙarfafa su. Wannan labarin yana nuna yadda na'urar bincike ta dokokin Firebase ke ganewa dokoki na bude a cikin Firestore, Realtime Database, da Cloud Storage daga waje aikin — kuma yadda za a gyara abin da ta samu.
Yadda na'urar bincike ke samun dokokin Firebase na bude
Sabis na Firebase suna fallasa sanannun, masu hasashe sifofi na URL. Na'urar bincike marar shaida zai iya bincika kowanne kuma ya lura ko karatun marar suna sun yi nasara. Binciken baas.firebase-rules na FixVibe yana gudana a binciken masu zaman kansu uku — ɗaya kowanne sabis na Firebase:
- <strong>Firestore.</strong> The scanner extracts the project ID from the deployed app's bundle (it's in <code>firebase.initializeApp({ projectId: ... })</code>), then issues <code>GET https://firestore.googleapis.com/v1/projects/[project-id]/databases/(default)/documents/[collection]:listDocuments</code> against common collection names. A <code>200 OK</code> with documents in the response means <code>allow read</code> is permissive.
- Realtime Database. Na'urar bincike yana bincika
https://[project-id]-default-rtdb.firebaseio.com/.json. Idan ana iya karanta tushen ba a san sunan ba, amsa shine duka itacen bayanai a matsayin JSON. Gwajin mai sauƙi yana yin tambaya.json?shallow=true, wanda yake komawa da maɓallai na babba kawai — ganowa duka hanyoyin biyu. - Cloud Storage. Na'urar bincike yana yin tambaya
https://firebasestorage.googleapis.com/v0/b/[project-id].appspot.com/o. Idan amsa ta jera sunayen fayil ba tare da tabbatarwa ba, ana iya jera buhun ba a san sunan ba. Ajiya mai jera ganowa ne koda an hana sauke fayil ɗin — masu kai hari suna ƙidaya buhun don nemo sunayen fayil masu yiwuwar hasashe.
Yadda gindin yanayin-gwaji yake gaske
Takardun quickstart na Firebase sun haɗa da ɗaya daga cikin block ɗin dokokin da aka fi kwafa a intanet:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}Firebase ta yi amfani da ƙara karewar atomatik na kwana 30 akan waɗannan dokokin. Wannan ya canza: yau dokokin suna tafiya har abada sai mai haɓakawa ya maye gurbinsu. Kayan aikin coding na AI — bayan an horar a shekarun takardu da ke ƙunshe da block ɗin yanayin-gwaji — suna sau da yawa fitar da shi verbatim kuma su gaya wa mai haɓakawa "wannan ita ce dokar tsaron ka." Ba ita ba ce.
Sauran nau'in da suka bayyana a samarwa amma daidai suna da izini:
// future-date variant — equivalent to "if true" allow read, write: if request.time < timestamp.date(2099, 1, 1); // authenticated-user variant — any signed-in user reads and writes anything allow read: if true; allow write: if request.auth != null; // any-auth variant — any signed-in user owns every document allow read, write: if request.auth != null;
- Nau'in timestamp-na-gaba: doka da ta ba da izini ga komai har zuwa wani kwanan wata mai nesa a nan gaba. Ba ya karewa da gaske (duba block mai haske a sama).
allow read: if true; allow write: if request.auth != null;— karatu jama'a, kowane mai amfani da aka tabbatar zai iya rubuta.allow read, write: if request.auth != null;— kowane mai amfani da aka sa hannu zai iya karanta ko rubuta kowane takarda, har da bayanan sauran masu amfani.
Abin da za a yi lokacin da na'urar bincike ta sami dokar bude
Dokokin Firebase na bude gaggawa ne ta lokacin gudanarwa. Gyaran shine sifa iri ɗaya a duk sabis uku: yi kowace doka ta dace zuwa request.auth.uid akan bayyananne shafin mallaka. Kowane sabis yana da nasa syntax na doka:
Firestore
match /users/{userId} { allow read, write: if request.auth != null && request.auth.uid == userId; }. Haɗin sashin-hanya {userId} ya zama kawai takardar da mai amfani zai iya taɓawa.
match /users/{userId} {
allow read, write: if request.auth != null
&& request.auth.uid == userId;
}Realtime Database
<code>{ "rules": { "users": { "$uid": { ".read": "$uid === auth.uid", ".write": "$uid === auth.uid" } } } }</code>. The <code>$uid</code> wildcard captures the path segment for comparison.
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}Cloud Storage
service firebase.storage { match /b/{bucket}/o { match /users/{userId}/{allPaths=**} { allow read, write: if request.auth.uid == userId; } } }. Yarjejeniya: adana fayiloli ƙarƙashin users/[uid]/[filename] kuma ka bar hanya ta aiwatar da mallaka.
service firebase.storage {
match /b/{bucket}/o {
match /users/{userId}/{allPaths=**} {
allow read, write: if request.auth.uid == userId;
}
}
}Aika dokoki ta Firebase CLI: firebase deploy --only firestore:rules, firebase deploy --only database, firebase deploy --only storage. Tabbatar sabbin dokoki suna a samarwa ta sake gudanar da binciken FixVibe — ganowar baas.firebase-rules ya kamata ya share.
firebase deploy --only firestore:rules
firebase deploy --only database
firebase deploy --only storageYadda wannan ke kwatanta zuwa kayan aikin da aka gina cikin Firebase
Firebase Console yana nuna muku dokokin yanzu amma baya bincika su akan halayen lokacin gudanarwa. Mai kwaikwayon Dokokin Firebase yana ba ku damar gwada ma'anar dokar akan buƙatun synthetic — mai amfani amma na gida. Babu daga cikin kayan aiki da yake gaya muku abin da dokokinku na samarwa suke ba da gaske ga mai kai hari marar suna a intanet na jama'a. Na'urar bincike ta waje kamar FixVibe (ko Burp Suite tare da saitin hannu) ita ce kawai abin da yake bincika daga kusurwa ɗaya da mai kai hari zai yi. App Check na Google na kansa yana rage cin zarafi amma baya maye gurbin dokoki da aka kayyade daidai.
Tambayoyin da ake yawan yi
Shin na'urar bincike za ta karanta ko gyara bayanan Firestore na?
Bincike mai shiru yana fitar da matuƙar karatun marar suna ɗaya kowane sabis don tabbatar da ko dokoki suka ba da izini. Na'urar bincike yana yin rikodin siffar amsa da kasancewar bayanai — ba ya yin shafi, ba ya ƙidaya takardu, kuma ba ya rubutawa. Binciken rubutu yana ƙarƙashin tabbatar da mallakar dama da aka tabbatar kuma ba sa taɓa gudana akan manufa marar tabbatarwa.
Idan aikin Firebase na yana amfani da App Check?
App Check yana ƙin buƙatu marasa tabbatarwa tare da 403. Na'urar bincike ba tare da token na App Check ba zai ga 403 akan kowane bincike — wanda shine sakamako daidai. App Check ba zai maye gurbin daidaiton dokoki ba (token na App Check da aka sata tare da dokar bude har yanzu yana yoyon bayanai), amma yana toshe binciken waje na lokaci.
Shin na'urar bincike na iya gane kuskuren saitin doka na ɓangare (karatu bude, rubutu rufe)?
Eh — ana bincika kowace doka (allow read, allow write) daban. Binciken-karatu-kawai da ya yi nasara da 200 OK yana ba da rahoton ganowar karatu-bude koda an hana rubutu. Ganowa biyu sun bambanta: fitar bayanai da magudin bayanai haɗari ne daban.
Shin wannan yana aiki don manhajojin Firebase da aka aika ƙarƙashin dama na al'ada?
Eh. Na'urar bincike yana fitar da ID na aikin Firebase daga haɗakar da aka aika, ba daga dama ba. Damar al'ada, subdomain na app.web.app, da manhajojin Firebase da aka adana kai duka suna aiki hanya ɗaya muddin za a iya kaiwa haɗakar JavaScript.
Matakai na gaba
Gudanar da binciken FixVibe na kyauta akan URL ɗin samarwarku — binciken baas.firebase-rules yana aikawa akan kowane shiri kuma yana yi wa alama dokoki na bude a cikin Firestore, Realtime Database, da Cloud Storage. Don bayani mai zurfi akan siffar allow read, write: if true musamman, duba An bayyana Firebase allow read, write: if true. Don ra'ayin laima a duk Supabase, Firebase, Clerk, da Auth0, karanta Na'urar bincike na kuskuren saiti na BaaS.