保護DataHogo
Security Encyclopedia/Firebase Security
highCWE-862

Cloud Functions Without Validation

Firebase Cloud Functions exposed as HTTP endpoints accept and process requests without verifying authentication tokens or validating input data.

How It Works

Firebase Cloud Functions can be deployed as HTTP endpoints accessible from the internet. Unlike callable functions that automatically verify Firebase Auth tokens, HTTP functions receive raw requests with no built-in authentication. If the function does not manually verify the Authorization header or Firebase ID token, anyone can invoke it. This is especially dangerous for functions that modify data, send emails, process payments, or access admin resources. The function URL is often discoverable from client-side code.

Vulnerable Code
exports.deleteUser = functions.https.onRequest(async (req, res) => {
  const { userId } = req.body;
  await admin.auth().deleteUser(userId);
  await admin.firestore().collection('users').doc(userId).delete();
  res.json({ success: true });
});
Secure Code
exports.deleteUser = functions.https.onCall(async (data, context) => {
  if (!context.auth) {
    throw new functions.https.HttpsError('unauthenticated', 'Must be signed in');
  }
  if (context.auth.uid !== data.userId) {
    throw new functions.https.HttpsError('permission-denied', 'Cannot delete other users');
  }
  await admin.auth().deleteUser(context.auth.uid);
  await admin.firestore().collection('users').doc(context.auth.uid).delete();
  return { success: true };
});

Real-World Example

In 2023, an e-commerce app had an HTTP Cloud Function for applying discount codes that lacked authentication. Attackers discovered the endpoint URL and applied unlimited discounts to orders, causing significant financial losses before the function was secured.

How to Prevent It

  • Use onCall instead of onRequest for functions called from your app
  • For HTTP functions, always verify the Firebase ID token from the Authorization header
  • Validate and sanitize all input data with a schema validator
  • Apply rate limiting using Firebase App Check or a middleware

Affected Technologies

FirebaseNode.jsReactMobile

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Firestore Rules Allow Read/Write True

critical

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

CWE-862

Realtime Database Without Authentication

critical

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

CWE-862

Firebase Storage Rules Permissive

high

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

CWE-732

Cascading Rules Misconfigured

high

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

CWE-863