FixVibe
Covered by FixVibehigh

Dokokin Tsaro Firebase: Hana Bayyana Bayanai mara izini

Dokokin Tsaro Firebase sune kariya ta farko don aikace-aikacen sabar da ba ta amfani da Firestore da Cloud Storage. Lokacin da waɗannan ƙa'idodin suka yi yawa, kamar ba da damar karantawa ko rubuta damar yin rubutu a duniya, maharan na iya ƙetare dabarun aikace-aikacen da aka yi niyya don sata ko share bayanai masu mahimmanci. Wannan binciken yana bincika ɓangarori na gama gari, haɗarin 'yanayin gwaji', da yadda ake aiwatar da sarrafa tushen isa ga ainihi.

CWE-284CWE-863

Dokokin Tsaro na Firebase suna ba da ƙayyadaddun tsari, tsarin tilasta uwar garken don kare bayanai a cikin Firestore, Database na Realtime, da Ajiyayyen Cloud [S1]. Saboda aikace-aikacen Firebase sukan yi hulɗa tare da waɗannan ayyukan girgije kai tsaye daga gefen abokin ciniki, waɗannan ƙa'idodin suna wakiltar shingen kawai da ke hana samun damar shiga mara izini ga bayanan baya [S1].

Tasirin Dokokin Halatta

Ƙa'idodin da ba daidai ba na iya haifar da mahimman bayanai [S2]. Idan an saita dokoki don su zama masu halattawa fiye da kima-misali, ta amfani da saitunan 'yanayin gwaji' na asali waɗanda ke ba da izinin shiga duniya-kowane mai amfani da sanin ID ɗin aikin zai iya karantawa, gyara, ko share duk bayanan bayanan [S2]. Wannan yana ƙetare duk matakan tsaro na gefen abokin ciniki kuma yana iya haifar da asarar mahimman bayanan mai amfani ko jimlar ɓarnar sabis [S2].

Tushen Dalilan: Rashin isassun Ma'anar Izini

Tushen tushen waɗannan raunin shine yawanci gazawar aiwatar da takamaiman yanayi waɗanda ke hana isa ga mai amfani ko halayen kayan aiki [S3]. Masu haɓakawa akai-akai suna barin saitunan tsoho suna aiki a cikin yanayin samarwa waɗanda ba su inganta abin request.auth [S3]. Ba tare da kimanta request.auth ba, tsarin ba zai iya bambanta tsakanin halaltaccen mai amfani da mai amfani da wanda ba a san shi ba [S3].

Gyaran Fasaha

Tabbatar da yanayin Firebase yana buƙatar matsawa daga buɗe damar shiga zuwa samfurin babba-na-ƙananan-gata.

Saukewa: ZXCVFIXVIBESEG10

  • Tabbatar da Tabbatarwa: Tabbatar da cewa duk hanyoyin da suka dace suna buƙatar ingantaccen zaman mai amfani ta hanyar duba idan abun request.auth ba ya warware [S3].

Saukewa: ZXCVFIXVIBESEG11

  • Aiwatar da Samun Tushen Identity *: Sanya ƙa'idodi waɗanda ke kwatanta UID mai amfani (request.auth.uid) zuwa filin cikin takaddar ko ID ɗin da kanta don tabbatar da cewa masu amfani za su iya samun damar bayanan kansu kawai [S3].

Saukewa: ZXCVFIXVIBESEG12

  • Ƙimar Izinin Ƙaƙwalwa *: Guji katunan duniya don tarawa. Madadin haka, ayyana ƙayyadaddun ƙa'idodi don kowane tarin da ƙananan tarin don rage yuwuwar yuwuwar kai hari [S2].

Saukewa: ZXCVFIXVIBESEG13

  • Tabbatarwa ta hanyar Emulator Suite: Yi amfani da Firebase Emulator Suite don gwada dokokin tsaro a gida. Wannan yana ba da damar tabbatar da dabarun sarrafa dama ga masu amfani daban-daban kafin tura zuwa wurin zama [S2].

Saukewa: ZXCVFIXVIBESEG14

Yadda FixVibe yayi gwajinsa

FixVibe yanzu ya haɗa da wannan azaman sikanin BaaS mai karantawa kawai. baas.firebase-rules yana fitar da tsarin Firebase daga tushen JavaScript na asali iri ɗaya, gami da sifofi na zamani na initializeApp(...), sannan bincika Database na Realtime, Firestore, da ZXCVFIXVIBETOKEN12 tare da buƙatun da ba a karanta ba. Don Firestore, ya fara gwada jerin tarin tushen; lokacin da aka toshe jeri, yana kuma bincika sunaye masu tarin yawa kamar su users, accounts, customers, orders, ZXCVFIZVIBETOKEN6 messages, admin, da settings. Yana ba da rahoton karantawa ko jeri marasa nasara kawai kuma baya rubutawa, sharewa, ko adana bayanan abokin ciniki.