Closed andlcool closed 7 years ago
The push key is actually designed to be unguessable. So I think this is far fetched as a security concern and an edge case you are 2^120 unlikely to encounter. But adding a security rule to check for this certainly won't do any harm either!
@katowulf thanks for the reply. Unless i am mistaken, by using the set method, the push key is not needed to overwrite all the items in tasks.
So the problem here being that it's at the parent level instead of the individual task level. Agreed.
It looks like, in the example rules, it should be this:
"rules": {
"queue": {
"tasks": {
".read": "auth.canProcessTasks",
".indexOn": "_state",
"$taskId": {
".write": "auth.canAddTasks && !data.exists() || auth.canProcessTasks",
....
}}}}
How could i have missed that! The security issue coupled with this rule could then be mitigated by the push key being designed to be unguessable.
Thanks so much for the solution. 👍
Version info
Firebase-admin: 4.1.0
Firebase: 3.6.1
Firebase Queue: 1.6.0
Node.js: v7.0.0
Other (e.g. operating system) (if applicable): MacOS Sierra 10.12.1
Test case
Steps to reproduce
Step 1: with this Firebase queue security rules
Step 2:
Step 3: This overwrite the user_reminder_queue > tasks > data (This behaviour is undesirable)
Expected behavior
With the recommended firebase queue security rules, see https://github.com/firebase/firebase-queue/blob/master/docs/guide.md#queue-security, a set operation should not overwrite existing tasks in the queue.
Actual behavior
Existing tasks in the queue > tasks can be overwritten.