# Firebase Firestore Security Audit - Find if-true Leaks Free (`renzomacar/firebase-security-auditor`) Actor Static analyzer for firestore.rules + live anonymous probe. Detects 'if true' wide-open rules, expired test-mode, auth-only patterns, open storage. HTML report with paste-ready fix snippets. Free demo mode if you don't have rules handy. - **URL**: https://apify.com/renzomacar/firebase-security-auditor.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Firebase Firestore Security Auditor **If your `firestore.rules` has `if true`, expired test-mode, or auth-only-no-ownership patterns, anyone with your project ID can read your users' data right now.** This actor finds those leaks in 30 seconds and tells you exactly which rules to fix. > Recent census: I scanned 35 random Firebase projects from public GitHub repos. **23% are leaking user data anonymously to a plain `curl` from any IP.** Your project ID is bundled in `firebase-config.js` — it's effectively public the moment you ship. ### What it detects (7 patterns) - 🚨 **`match /{document=**} { allow read, write: if true; }`** — the classic catch-all (CRITICAL) - 🚨 Bare `if true` literals on any match block (CRITICAL) - ⚠️ `if request.auth != null` without ownership check (HIGH) — lets ANY logged-in user read EVERY user's data - ⚠️ Test-mode timestamp rules with `timestamp.date(2099, 1, 1)` or future date (HIGH) — wide open until 2099 - ⚠️ Catch-all read open + write closed (MEDIUM) — fine for product catalogs, fatal for `/payments` - 📦 Storage rules with open read on user uploads (HIGH) - 💡 Missing explicit default-deny rule (INFO) Each finding ships with a **paste-ready fix snippet** you drop straight into `firestore.rules`. ### How to run You can run with EITHER one of these inputs: 1. **`projectId`** — sends an anonymous GET to your Firestore REST endpoint to confirm what's leaking live 2. **`rulesContent`** — paste the contents of your `firestore.rules` file for static analysis Run with both for the complete picture. Both are optional — if you provide neither, the actor runs a DEMO against a known-bad rules fixture so you can see what the report looks like. ### What you get Two outputs land in the run's storage: - **`REPORT`** in the Key-Value Store: a self-contained HTML page with letter grade (A+ to F), severity charts, per-finding fix snippets with copy buttons, and an "apply all fixes" bundle at the bottom. Open in any browser, forward to your team. - **Dataset rows**: one structured row per finding for piping into your own pipeline. ### Sample finding (from the demo run) ```` \[CRITICAL] Wide-open catch-all rule Target: match /{document=\*\*} ★ CONFIRMED LEAK — anonymous Firestore REST returned 47 documents (12,453 bytes) Paths visible: users/abc123, users/def456, ... Fix snippet (paste into firestore.rules): match /{document=\*\*} { allow read, write: if false; } match /users/{uid} { allow read: if request.auth != null && request.auth.uid == uid; allow write: if request.auth != null && request.auth.uid == uid; } ```` ### Want a written report + Q&A support? Free actor → you find leaks. **$29 lite tier** (top 3 fixes + written summary) or **$99 full audit** (every match block + 30-day Q&A + paste-ready bundle, 24h delivery). The CTA links inside the HTML report take you to Stripe. Free in-browser scanner (no install, no actor): https://perufitlife.github.io/firebase-security-skill/scan.html ### Source code All MIT licensed: - CLI: https://github.com/Perufitlife/firebase-security-skill - MCP server (Claude Code, Cursor, Cline): https://github.com/Perufitlife/firebase-security-mcp ### Sister auditors (same family) If you also use other BaaS products: - **Supabase** — https://apify.com/renzomacar/supabase-security-auditor - **PocketBase** — https://apify.com/renzomacar/pocketbase-security-auditor - **Appwrite** — https://apify.com/renzomacar/appwrite-security-auditor - **Hasura/Nhost** — https://apify.com/renzomacar/nhost-security-auditor All open source: https://github.com/Perufitlife # Actor input Schema ## `projectId` (type: `string`): Your Firebase project ID — find it in Firebase console → Project Settings → General. The auditor sends an unauthenticated GET to https://firestore.googleapis.com/v1/projects//databases/(default)/documents — same call any anonymous visitor with your project ID can make. If documents come back, your DB is leaking. ## `rulesContent` (type: `string`): Paste the full contents of your firestore.rules file (find it in your Firebase project repo). Static analyzer detects: match-all wildcards with 'if true', expired test-mode rules, auth-only-no-ownership patterns. Optional — leave blank if you only want the live probe. ## `activeProbe` (type: `boolean`): When ON (default), the probe sends an anonymous GET against the deployed Firestore REST endpoint when a project ID is provided. Confirms whether the leak is real (vs only theoretical from rules text). ## `outputFormat` (type: `string`): html-report saves a self-contained HTML to KV store key REPORT. json pushes only structured rows to the dataset. both does both. ## Actor input object example ```json { "projectId": "my-app-1a2b3", "rulesContent": "rules_version = '2';\nservice cloud.firestore {\n match /databases/{database}/documents {\n // paste your actual rules here\n match /{document=**} {\n allow read, write: if true; // example dangerous rule\n }\n }\n}", "activeProbe": true, "outputFormat": "html-report" } ```` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "projectId": "your-firebase-project-id", "rulesContent": `rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { // paste your actual rules here match /{document=**} { allow read, write: if true; // example dangerous rule } } }` }; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/firebase-security-auditor").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "projectId": "your-firebase-project-id", "rulesContent": """rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { // paste your actual rules here match /{document=**} { allow read, write: if true; // example dangerous rule } } }""", } # Run the Actor and wait for it to finish run = client.actor("renzomacar/firebase-security-auditor").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "projectId": "your-firebase-project-id", "rulesContent": "rules_version = '\''2'\'';\\nservice cloud.firestore {\\n match /databases/{database}/documents {\\n // paste your actual rules here\\n match /{document=**} {\\n allow read, write: if true; // example dangerous rule\\n }\\n }\\n}" }' | apify call renzomacar/firebase-security-auditor --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/firebase-security-auditor", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Firebase Firestore Security Audit - Find if-true Leaks Free", "description": "Static analyzer for firestore.rules + live anonymous probe. Detects 'if true' wide-open rules, expired test-mode, auth-only patterns, open storage. HTML report with paste-ready fix snippets. Free demo mode if you don't have rules handy.", "version": "0.1", "x-build-id": "Age89HKknwQCibEeh" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~firebase-security-auditor/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-firebase-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~firebase-security-auditor/runs": { "post": { "operationId": "runs-sync-renzomacar-firebase-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~firebase-security-auditor/run-sync": { "post": { "operationId": "run-sync-renzomacar-firebase-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "projectId": { "title": "Firebase project ID", "type": "string", "description": "Your Firebase project ID — find it in Firebase console → Project Settings → General. The auditor sends an unauthenticated GET to https://firestore.googleapis.com/v1/projects//databases/(default)/documents — same call any anonymous visitor with your project ID can make. If documents come back, your DB is leaking." }, "rulesContent": { "title": "firestore.rules content (optional, but recommended)", "type": "string", "description": "Paste the full contents of your firestore.rules file (find it in your Firebase project repo). Static analyzer detects: match-all wildcards with 'if true', expired test-mode rules, auth-only-no-ownership patterns. Optional — leave blank if you only want the live probe." }, "activeProbe": { "title": "Active probe (anonymous Firestore REST)", "type": "boolean", "description": "When ON (default), the probe sends an anonymous GET against the deployed Firestore REST endpoint when a project ID is provided. Confirms whether the leak is real (vs only theoretical from rules text).", "default": true }, "outputFormat": { "title": "Output format", "enum": [ "html-report", "json", "both" ], "type": "string", "description": "html-report saves a self-contained HTML to KV store key REPORT. json pushes only structured rows to the dataset. both does both.", "default": "html-report" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```