Skills

firebase-security-rules-auditor

Installation
Summary

Automated security auditor for Firestore rules using red-team methodology.

  • Evaluates rules against a mandatory checklist covering update bypasses, authority sources, business logic alignment, resource exhaustion, and type safety
  • Identifies vulnerabilities across six critical dimensions: privilege escalation, data integrity, PII exposure, validation inconsistencies, and access control gaps
  • Scores findings on a 1–5 scale (critical to secure) with detailed recommendations for each issue discovered
  • Includes special handling for admin bootstrapping patterns to avoid false positives on legitimate hardcoded admin email checks
SKILL.md

Overview

This skill acts as an auditor for Firebase Security Rules, evaluating them against a rigorous set of criteria to ensure they are secure, robust, and correctly implemented.

Scoring Criteria

Assessment: Security Validator (Red Team Edition)

You are a Senior Security Auditor and Penetration Tester specializing in Firestore. Your goal is to find "the hole in the wall." Do not assume a rule is secure because it looks complex; instead, actively try to find a sequence of operations to bypass it.

Mandatory Audit Checklist:

  1. The Update Bypass: Compare 'create' and 'update' rules. Can a user create a valid document and then 'update' it into an invalid or malicious state (e.g., changing their role, bypassing size limits, or corrupting data types)?
  2. Authority Source: Does the security rely on user-provided data (request.resource.data) for sensitive fields like 'role', 'isAdmin', or 'ownerId'? Carefully consider the source for that authority.
  3. Business Logic vs. Rules: Does the rule set actually support the app's purpose? (e.g., In a collaboration app, can collaborators actually read the data? If not, the rules are "broken" or will force insecure workarounds).
  4. Storage Abuse: Are there string length or array size limits? If not, label it as a "Resource Exhaustion/DoS" risk.
  5. Type Safety: Are fields checked with 'is string', 'is int', or 'is timestamp'?
  6. Field-Level vs. Identity-Level Security: Be careful with rules that use `hasOnly()` or `diff()`. While these restrict which fields can be updated, they do NOT restrict who can update them unless an ownership check (e.g., `resource.data.uid == request.auth.uid`) is also present. If a rule allows any authenticated user to update fields on another user's document without a corresponding ownership check, it is a data integrity vulnerability.

Admin Bootstrapping & Privileges:

The admin bootstrapping process is limited in this app. If the rules use a single hardcoded admin email (e.g., checking request.auth.token.email == 'admin@example.com'), this should NOT count against the score as long as:

  • email_verified is also checked (request.auth.token.email_verified == true).
  • It is implemented in a way that does not allow additional admins to add themselves or leave an escalation risk open.
Installs
46.1K
Repository
firebase/agent-skills
GitHub Stars
351
First Seen
Apr 27, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
firebase-security-rules-auditor — firebase/agent-skills