I should not be receiving emails regarding real time database having "insecure rules"
102 views
Skip to first unread message
Saad Bilal
Sep 6, 2022, 11:54:29 PM9/6/22
to Firebase Google Group
Hi everyone,
I have created a React application that displays lots of images and videos to the user. All of these assets are stored in Firebase Storage and Firebase Realtime Database is used to store an array of objects containing the URLs of these assets and relevant CSS styles. Whenever the website loads, this list of objects is fetched and the assets are shown to the user.
Now, the rules for the realtime database are:
{
"rules": {
".read": true,
".write": "auth !== null"
}
}
Now, the rules for the realtime database are:
{
"rules": {
".read": true,
".write": "auth !== null"
}
}
I know that any user can read the entire database, but that is the point, since anyone visiting the website, should be able to view all of the images and videos etc.
Firebase keeps on sending me email alerts that my rules are insecure. Am I doing something wrong? How do I fix this?
Thanks for your help, everyone.
Firebase keeps on sending me email alerts that my rules are insecure. Am I doing something wrong? How do I fix this?
Thanks for your help, everyone.
Andreas B
Sep 7, 2022, 3:52:55 AM9/7/22
to Firebase Google Group
That ruleset means two things:
First, everyone can read not only every part of your database, but the whole database at once. Even if everything stored might as well be public information, this means that someone could access the root node and download everything in one operation. Depending on the size of your database, this might at least lead to a huge bill for you down the line, even if you believe that getting to know the URL to every single image and video of yours is not a problem.
Second it means that every authenticated user can write anything to any location in your database. This allows stuff like changing individual video URLs to any other video URL that may exists somewhere on the internet and which will subsequently be shown to your users as if it was your content, but also stuff like just writing a null value to your root node and deleting everything you've got.
Neither option sounds really secure to me, so you should do at least two things: restrict read operations to individual nodes further down the tree (depending on what structure makes sense for you), and restrict write operations not just to any authenticated user, but to specific user accounts that you control.
Michael Bleigh
Sep 7, 2022, 12:58:33 PM9/7/22
to Firebase Google Group
Well-stated, Andreas -- as a Firebase engineer that's pretty much the exact advice I'd give.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/13e5d73d-9da6-4688-8072-49a03954c60an%40googlegroups.com.
Saad Bilal
Sep 7, 2022, 3:53:25 PM9/7/22
to Firebase Google Group
Thank you very much for your answer, Andreas.
Reply all
Reply to author
Forward
0 new messages