保護DataHogo
Security Encyclopedia/Firebase Security
highCWE-732

Firebase Storage Rules Permissive

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

How It Works

Firebase Cloud Storage uses its own security rules to control file uploads and downloads. When rules allow unrestricted access, anyone can upload files (potentially malware or illegal content), download private user files, overwrite existing files, or delete critical assets. Attackers can abuse open storage to host phishing pages, distribute malware, or exfiltrate private uploads like profile photos, documents, and media files. The storage bucket URL is discoverable from the public Firebase config.

Vulnerable Code
rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if true;
    }
  }
}
Secure Code
rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /users/{userId}/{allPaths=**} {
      allow read: if request.auth != null;
      allow write: if request.auth != null
        && request.auth.uid == userId
        && request.resource.size < 5 * 1024 * 1024
        && request.resource.contentType.matches('image/.*');
    }
  }
}

Real-World Example

In 2022, researchers found Firebase Storage buckets of several popular mobile apps wide open, containing user-uploaded selfies for identity verification, passport scans, and signed documents. Over 300,000 files were accessible without authentication.

How to Prevent It

  • Always require request.auth != null for file operations
  • Scope write access to user-specific paths using request.auth.uid
  • Validate file size and content type in storage rules
  • Use separate storage paths for public vs. private content

Affected Technologies

FirebaseNode.jsReactMobile

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Firestore Rules Allow Read/Write True

critical

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

CWE-862

Realtime Database Without Authentication

critical

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

CWE-862

Cascading Rules Misconfigured

high

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

CWE-863

Firebase API Key Exposed in Code

medium

Firebase configuration (apiKey, projectId, databaseURL) is hardcoded in JavaScript bundles and publicly accessible, enabling attackers to interact with your Firebase services.

CWE-798