保護DataHogo
Security Encyclopedia/Firebase Security
highCWE-863

Cascading Rules Misconfigured

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

How It Works

In Firebase Realtime Database, rules cascade from parent to child nodes. If a parent path has '.read: true', all child nodes inherit that access regardless of their own rules. Developers often set permissive rules on a parent thinking they will add restrictions on children, but child restrictions are ignored. In Firestore, the behavior is different: rules don't cascade, but a broad wildcard match like '/{document=**}' can still override more specific rules if placed incorrectly.

Vulnerable Code
{
  "rules": {
    "app_data": {
      ".read": true,
      ".write": true,
      "admin_config": {
        ".read": "auth !== null && auth.token.admin === true",
        ".write": "auth !== null && auth.token.admin === true"
      }
    }
  }
}
Secure Code
{
  "rules": {
    "app_data": {
      "public": {
        ".read": true,
        ".write": "auth !== null"
      },
      "admin_config": {
        ".read": "auth !== null && auth.token.admin === true",
        ".write": "auth !== null && auth.token.admin === true"
      }
    }
  }
}

Real-World Example

A popular educational app intended to restrict admin configuration to admins only. However, a '.read: true' rule on the parent node made admin settings (including API keys for third-party services) readable by anyone. The misconfiguration went undetected for 8 months.

How to Prevent It

  • Never set permissive rules on parent nodes that contain sensitive children
  • In Realtime Database, remember that parent rules always override children
  • Structure data to separate public and private paths at the top level
  • Test rule cascading behavior using the Firebase Rules Playground

Affected Technologies

FirebaseNode.jsReactMobile

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Firestore Rules Allow Read/Write True

critical

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

CWE-862

Realtime Database Without Authentication

critical

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

CWE-862

Firebase Storage Rules Permissive

high

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

CWE-732

Firebase API Key Exposed in Code

medium

Firebase configuration (apiKey, projectId, databaseURL) is hardcoded in JavaScript bundles and publicly accessible, enabling attackers to interact with your Firebase services.

CWE-798