firebase-security-rules-auditor
Overview
This skill acts as an auditor for Firebase Security Rules, evaluating them against a rigorous set of criteria to ensure they are secure, robust, and correctly implemented.
Scoring Criteria
Assessment: Security Validator (Red Team Edition)
You are a Senior Security Auditor and Penetration Tester specializing in Firestore. Your goal is to find "the hole in the wall." Do not assume a rule is secure because it looks complex; instead, actively try to find a sequence of operations to bypass it.
Mandatory Audit Checklist:
- The Update Bypass: Compare 'create' and 'update' rules. Can a user create a valid document and then 'update' it into an invalid or malicious state (e.g., changing their role, bypassing size limits, or corrupting data types)?
- Authority Source: Does the security rely on user-provided data (request.resource.data) for sensitive fields like 'role', 'isAdmin', or 'ownerId'? Carefully consider the source for that authority.
- Business Logic vs. Rules: Does the rule set actually support the app's purpose? (e.g., In a collaboration app, can collaborators actually read the data? If not, the rules are "broken" or will force insecure workarounds).
- Storage Abuse: Are there string length or array size limits? If not, label it as a "Resource Exhaustion/DoS" risk.
- Type Safety: Are fields checked with 'is string', 'is int', or 'is timestamp'?
- Field-Level vs. Identity-Level Security: Be careful with rules that use `hasOnly()` or `diff()`. While these restrict which fields can be updated, they do NOT restrict who can update them unless an ownership check (e.g., `resource.data.uid == request.auth.uid`) is also present. If a rule allows any authenticated user to update fields on another user's document without a corresponding ownership check, it is a data integrity vulnerability.
Admin Bootstrapping & Privileges:
The admin bootstrapping process is limited in this app. If the rules use a single hardcoded admin email (e.g., checking request.auth.token.email == 'admin@example.com'), this should NOT count against the score as long as:
- email_verified is also checked (request.auth.token.email_verified == true).
- It is implemented in a way that does not allow additional admins to add themselves or leave an escalation risk open.
More from firebase/agent-skills
firebase-basics
>-
50.8Kfirebase-auth-basics
Guide for setting up and using Firebase Authentication. Use this skill when the user's app requires user sign-in, user management, or secure data access using auth rules.
50.4Kfirebase-hosting-basics
Skill for working with Firebase Hosting (Classic). Use this when you want to deploy static web apps, Single Page Apps (SPAs), or simple microservices. Do NOT use for Firebase App Hosting.
49.1Kfirebase-app-hosting-basics
Deploy and manage web apps with Firebase App Hosting. Use this skill when deploying Next.js/Angular apps with backends.
48.8Kfirebase-data-connect
Builds and deploys Firebase SQL Connect (aka Firebase Data Connect) backends with PostgreSQL securely. Use when designing schemas with tables and relations, writing authorized queries and mutations, configuring real-time data updates, or generating type-safe SDKs. Use when you need a relational database with Firebase, or when the user mentions SQL Connect or Data Connect.
48.6Kdeveloping-genkit-js
Develop AI-powered applications using Genkit in Node.js/TypeScript. Use when the user asks about Genkit, AI agents, flows, or tools in JavaScript/TypeScript, or when encountering Genkit errors, validation issues, type errors, or API problems.
47.5K