Skip to content

Firebase Security Vulnerability: FBR-CONFIG-002

Name: Missing Explicit Rule for Collection Path

Applicable Services: Cloud Firestore

Description

Configuration Issue

This issue arises when a Firestore collection is used by the application but there is no corresponding match statement in the firestore.rules file that specifically targets that collection's path. While Firestore denies access by default (implicit deny), missing explicit rules creates an unclear security posture and makes it difficult to understand which collections are intentionally protected.

The primary concern isn't immediate unauthorized access, but rather:

  • Undefined Security State: Without explicit rules, it's unclear whether a collection's security was intentionally configured or simply forgotten
  • Maintenance Difficulties: Developers may be unsure which collections need rules when the application evolves
  • Future Misconfiguration Risk: When rules are eventually added, they may be implemented incorrectly due to lack of initial planning

Impact

Development and Maintenance Risks

While not immediately dangerous from a security perspective, this issue can lead to:

  • Unclear security posture for application collections
  • Development confusion when debugging access issues
  • Potential future misconfigurations when rules are added later
  • Difficulty auditing which collections are intentionally secured
  • Inconsistent rule management across the application

Example Problem Scenarios

Common Developer Confusion: Missing Collection Access

The Problem Setup: 

// Application code that reads from a users collection
const userDoc = await db.collection('users').doc(userId).get();

The Incomplete Rules: 

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Only rules for posts collection, but app also uses 'users'
    match /posts/{postId} {
      allow read, write: if request.auth != null;
    }
    // Missing: No explicit rule for 'users' collection
  }
}

Developer's Goal: Access user data from the client application.

What Happens: The read operation fails because there's no explicit rule allowing access to the users collection.

The Confusion: Developer spends time debugging why their authenticated requests are being denied, not realizing they need an explicit rule for every collection they use.

Mitigation

The issue is resolved by explicitly defining match blocks for every collection used by the application, ensuring clear and intentional security configuration.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Access to the "users" collection is implicitly denied
    match /posts/{postId} {
      allow read, write: if request.auth != null;
    }
  }
}

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Explicitly define rules for the "users" collection
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }

    match /posts/{postId} {
      allow read, write: if request.auth != null;
    }

    // Optional: Explicit deny-all fallback for any unmatched paths
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Best Practice: Rule Inventory

Maintain an inventory of all collections used by your application and ensure each has an explicit rule. Consider adding comments in your rules file to document the purpose of each collection and its intended access patterns.

References