1
service firebase.storage {
2
  match /b/{bucket}/o {
3

4
    /**
5
     * Returns true iff the user is signed in.
6
     */
7
    function isSignedIn() {
8
      return request.auth != null;
9
    }

1
match /user-media/{allPaths=**} { allow create, read, write: if isSignedIn(); }

1
/* eslint-disable no-console */
2
const fs = require('fs');
3
const path = require('path');
4

5
const rulesPath =
6
  process.argv[2] ||
7
  'D:\\CTF\\work\\ground-platform-master\\storage\\storage.rules';
8
const outPath =
9
  process.argv[3] || 'C:\\Users\\zwz-o\\audit_tmp\\gp_poc\\offline_poc_result.json';
10

11
function mustMatch(input, regex, name) {
12
  if (!regex.test(input)) {
13
    throw new Error(`rules check failed: ${name}`);
14
  }
15
}
16

17
function canAccess(requestAuth) {
18
  // Mirrors: function isSignedIn() { return request.auth != null; }
19
  return requestAuth !== null;
20
}
21

22
function main() {
23
  const rules = fs.readFileSync(rulesPath, 'utf8');
24

25
  // Prove exact vulnerable rule exists in target file.
26
  mustMatch(
27
    rules,
28
    /function\s+isSignedIn\s*\(\)\s*{[\s\S]*?request\.auth\s*!=\s*null[\s\S]*?}/m,
29
    'isSignedIn uses request.auth != null'
30
  );
31
  mustMatch(
32
    rules,
33
    /match\s*\/user-media\/\{allPaths=\*\*\}\s*{[\s\S]*?allow\s+create,\s*read,\s*write\s*:\s*if\s*isSignedIn\(\)\s*;[\s\S]*?}/m,
34
    'user-media allows create/read/write for all signed-in users'
35
  );
36

37
  const unauth = null;
38
  const alice = { uid: 'alice_uid', email: '[email protected]' };
39
  const bob = { uid: 'bob_uid', email: '[email protected]' };
40

41
  const targetPath = 'user-media/survey-001/alice_private_note.jpg';
42

43
  const result = {
44
    rulesPath,
45
    targetPath,
46
    checks: {
47
      unauth_create_allowed: canAccess(unauth),
48
      alice_create_allowed: canAccess(alice),
49
      bob_read_allowed: canAccess(bob),
50
      bob_write_allowed: canAccess(bob),
51
    },
52
    exploit_chain: [
53
      'alice uploads file to user-media/**',
54
      'bob reads alice file from same path (allowed)',
55
      'bob overwrites/deletes alice file (allowed)',
56
    ],
57
  };
58

59
  result.vulnerable =
60
    result.checks.unauth_create_allowed === false &&
61
    result.checks.alice_create_allowed === true &&
62
    result.checks.bob_read_allowed === true &&
63
    result.checks.bob_write_allowed === true;
64

65
  fs.mkdirSync(path.dirname(outPath), { recursive: true });
66
  fs.writeFileSync(outPath, JSON.stringify(result, null, 2), 'utf8');
67
  console.log(JSON.stringify(result, null, 2));
68

69
  if (!result.vulnerable) {
70
    process.exit(2);
71
  }
72
}
73

74
main();