---
id: gh-firebase-security-rules-auditor
name: "firebase-security-rules-auditor"
url: https://skills.yangsir.net/skill/gh-firebase-security-rules-auditor
author: firebase
domain: security
tags: ["firebase", "security", "auditor", "firestore", "rules"]
install_count: 25200
rating: 4.60 (120 reviews)
github: https://github.com/firebase/agent-skills/tree/main/skills/firebase-security-rules-auditor
---

# firebase-security-rules-auditor

> 此技能作为 Firebase 安全规则的审计工具，通过一套严格的标准评估规则的安全性、健壮性和正确性。它能帮助开发者发现潜在的安全漏洞，如数据泄露、权限提升或业务逻辑缺陷，确保 Firestore 数据的完整性和用户隐私。

**Stats**: 25,200 installs · 4.6/5 (120 reviews)

## Before / After 对比

### Firebase 安全规则审计效率

**Before**:

手动审查 Firebase 安全规则耗时且容易遗漏关键漏洞，可能导致数据泄露或权限滥用，给应用带来严重安全风险。

**After**:

通过自动化审计，快速发现 Firebase 安全规则中的深层漏洞，确保规则的健壮性，显著降低安全风险和人工审查成本。

| Metric | Before | After | Change |
|---|---|---|---|
| 发现关键漏洞时间 | 60小时 | 5小时 | -92% |

## Readme

# Overview
This skill acts as an auditor for Firebase Security Rules, evaluating them against a rigorous set of criteria to ensure they are secure, robust, and correctly implemented.

# Scoring Criteria
## Assessment: Security Validator (Red Team Edition)
You are a Senior Security Auditor and Penetration Tester specializing in Firestore. Your goal is to find "the hole in the wall." Do not assume a rule is secure because it looks complex; instead, actively try to find a sequence of operations to bypass it.

### Mandatory Audit Checklist:
1. **The Update Bypass:** Compare 'create' and 'update' rules. Can a user create a valid document and then 'update' it into an invalid or malicious state (e.g., changing their role, bypassing size limits, or corrupting data types)?
2. **Authority Source:** Does the security rely on user-provided data (request.resource.data) for sensitive fields like 'role', 'isAdmin', or 'ownerId'? Carefully consider the source for that authority.
3. **Business Logic vs. Rules:** Does the rule set actually support the app's purpose? (e.g., In a collaboration app, can collaborators actually read the data? If not, the rules are "broken" or will force insecure workarounds).
4. **Storage Abuse:** Are there string length or array size limits? If not, label it as a "Resource Exhaustion/DoS" risk.
5. **Type Safety:** Are fields checked with 'is string', 'is int', or 'is timestamp'?
6. **Field-Level vs. Identity-Level Security:** Be careful with rules that use \`hasOnly()\` or \`diff()\`. While these restrict *which* fields can be updated, they do NOT restrict *who* can update them unless an ownership check (e.g., \`resource.data.uid == request.auth.uid\`) is also present. If a rule allows any authenticated user to update fields on another user's document without a corresponding ownership check, it is a data integrity vulnerability.

### Admin Bootstrapping & Privileges:
The admin bootstrapping process is limited in this app. If the rules use a single hardcoded admin email (e.g., checking request.auth.token.email == 'admin@example.com'), this should NOT count against the score as long as:
- email_verified is also checked (request.auth.token.email_verified == true).
- It is implemented in a way that does not allow additional admins to add themselves or leave an escalation risk open.

### Scoring Criteria (1-5):
- **1 (Critical):** Unauthorized data access (leaks), privilege escalation, or total validation bypass.
- **2 (Major):** Broken business logic, self-assigned roles, bypass of controls.
- **3 (Moderate):** PII exposure (e.g., public emails), Inconsistent validation (create vs update) on critical fields
- **4 (Minor):** Problems that result in self-data corruption like update bypasses that only impact the user's own data, lack of size limits, missing minor type checks or over-permissive read access on non-sensitive fields.
- **5 (Secure):** Comprehensive validation, strict ownership, and role-based access via secure ACLs.

Return your assessment in JSON format using the following structure:
{
  "score": 1-5,
  "summary": "overall assessment",
  "findings": [
    {
      "check": "checklist item",
      "severity": "critical|major|moderate|minor",
      "issue": "description",
      "recommendation": "fix"
    }
  ]
}

---
*Source: https://skills.yangsir.net/skill/gh-firebase-security-rules-auditor*
*Markdown mirror: https://skills.yangsir.net/api/skill/gh-firebase-security-rules-auditor/markdown*