0

I am developing an Android app that makes use of Firebase Storage with Security Rules.

Currently my only Firebase Security Rules are auth != null on both read and write, a 5 MB max file size on write, and a 1 hr period max before users can no longer read the file.

My question is: how safe is this? How hard would it be for a malicious user to upload multiple files repeatedly, so as to kill my storage space?

Ismail Khan
  • 842
  • 2
  • 8
  • 20
  • You just posted a similar question here: https://groups.google.com/forum/#!topic/firebase-talk/hS0_rPgsGPM While the posts are slight different, please indicate when you post it in multiple locations. – Frank van Puffelen Sep 16 '17 at 20:27

1 Answers1

2

Yes, with just security rules of auth != null any authenticated user can upload whatever they want to your Cloud Storage bucket.

If file size is a realistic concern for your use-case, you'll want to have a stricter user-check than auth != null and/or implement a reasonable limit on file size

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • How exactly would a malicious, auth'd user abuse this? In my Android app, for example, auth'd users can upload files with a max file size, but client side code determines what the file name/path should be. Can auth'd users upload files to any path they want by circumventing my app's client side code? Since storage rules can't talk to my real-time DB, I don't know what the alternative is :( – Ismail Khan Sep 17 '17 at 06:49
  • You shouldn't depend on logic in your client-side code to enforce constraints. While client-side code is a friendly way to inform your users, you need server-side rules which malicious users can't bypass. The links I provided in my answer show how to do that for Storage. – Frank van Puffelen Sep 17 '17 at 14:03
  • From the links, I see that I can specify a specific file path (like $user_id/file_name), with a max file size, and enforce that only an auth'd user with ID==$user_id can read/write the data. What's stopping a user from uploading a million files at this path? I don't want to hard-code a list of userIDs that can read/write, since that will change very quickly. Is what I suggested really the best approach (that does not require setting up a customer server)? – Ismail Khan Sep 17 '17 at 14:46
  • 1
    @IsmailKhan is called double validation, is a good practice that should always be enforced in client-server communication. This way, your app is used as intended, and in any other case, the server will prevent malicious use. – cutiko Sep 21 '17 at 14:02
  • @cutiko, even this double validation does not seem secure to me. Can’t a user write infinitely many times to their $user_id path? – Ismail Khan Sep 22 '17 at 03:35
  • @IsmailKhan this could also happen with other sort of servers, you are focusing on the wrong side of the coin, Firebase is to speed up your application launch – cutiko Sep 22 '17 at 13:54