Firebase Security Rule Vulnerability: FBR-LOGIC-001¶

Name: Improper Rule Inheritance (RTDB Specific)

Applicable Services: Realtime Database (RTDB)

Description¶

This vulnerability is unique to the Firebase Realtime Database due to its specific rule evaluation mechanism. RTDB rules cascade downwards, meaning rules defined at a parent path automatically apply to all child paths beneath it.

Crucially, permissions are additive, and shallower rules override deeper rules. This means: * If a .read or .write rule grants access at a parent path (e.g., /users), that permission cannot be revoked by a more restrictive rule at a child path (e.g., /users/$uid/private). The shallower allow rule always wins. * A rule at a child path can grant more access than its parent, but it cannot take away access already granted by the parent.

Misunderstanding or overlooking this cascading, permissive-wins logic can lead to unintentional data exposure or write access at deeper levels of the data hierarchy.

Risks¶

Unintended Data Exposure: Sensitive data nested under a path with broad read access will be readable, even if a specific rule attempts to deny access at the deeper level.
Unintended Write Access: Similarly, broad write permissions granted at a parent level cannot be restricted for specific child nodes.
Rule Complexity: Managing security in deeply nested structures requires careful planning to avoid accidentally granting overly broad permissions at higher levels.

Insecure Code Example¶

Realtime Database (RTDB):

{
  "rules": {
    "user_public_profiles": {
      // This rule grants read access to all data under this path
      ".read": true,

      "$uid": {
        "private_notes": {
          // PROBLEM: This ".read": false rule is IGNORED because the
          // parent path "/user_public_profiles" already granted read access via ".read": true.
          // Anyone can read the private_notes.
          ".read": false,
          ".write": "auth != null && auth.uid === $uid" // Write is correctly restricted