Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Firestore Security Rules Around UserId #1634

Open
Mephistic opened this issue Oct 13, 2024 · 0 comments
Open

Investigate Firestore Security Rules Around UserId #1634

Mephistic opened this issue Oct 13, 2024 · 0 comments
Labels
backend Backend Development bug Something isn't working

Comments

@Mephistic
Copy link
Collaborator

Problem

The Firestore security rules we have set up for testimony don't technically block users from re-assigning testimony (by changing the userId of an existing testimony).

I'm not 100% sure how much of a problem this actually is since testimony is a sub-collection under users - not just a field on the testimony data, but we should double-check this to ensure we don't have a security hole.

Summary of the potential problem:

  • User 123 submits a new testimony with ID ABC
  • User 123 makes a malicious request to update testimony ABC to have a userId of 456
  • Testimony ABC now (erroneously) shows up as published by user 456

Success Criteria

  • Verify that this is an open security hole by making the malicious request
  • If so, update Firestore security rules so that users can't change the userId/uid of their testimony to that of another user.
@Mephistic Mephistic added backend Backend Development bug Something isn't working labels Oct 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backend Backend Development bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant