PluginBench
Skill
Official
Pass
Audit score 90

firestore-security-rules-auditor

firebase/agent-skills

Audit Firestore security rules for vulnerabilities and compliance with security best practices.

What is firestore-security-rules-auditor?

This skill evaluates Firebase Security Rules against a rigorous security framework, identifying vulnerabilities like privilege escalation, data leaks, and business logic bypasses. Use it when creating or updating Firestore rules to ensure they withstand adversarial attack patterns.

  • Performs red-team security analysis on Firestore rules to find bypass vulnerabilities
  • Checks for privilege escalation risks and self-assigned role attacks
  • Validates create vs. update rule consistency to prevent state manipulation
  • Identifies resource exhaustion and DoS risks from missing size/length limits
  • Assesses field-level vs. identity-level security controls
  • Verifies type safety and data integrity constraints

How to install firestore-security-rules-auditor

npx skills add https://github.com/firebase/agent-skills --skill firestore-security-rules-auditor
Claude Code
Cursor
Windsurf
Cline

How to use firestore-security-rules-auditor

  1. 1.Provide your Firestore security rules to the auditor
  2. 2.The skill will evaluate them against the mandatory audit checklist (update bypass, authority source, business logic, storage abuse, type safety, field vs. identity security)
  3. 3.Review the returned JSON assessment with score (1-5), summary, and detailed findings
  4. 4.Address each finding by severity level (critical, major, moderate, minor)
  5. 5.Re-run the audit after making rule changes to verify fixes

Use cases

Good for
  • Review security rules before deploying to production Firestore databases
  • Audit existing rule sets after updates to catch new vulnerabilities
  • Validate that role-based access controls cannot be bypassed through create/update sequences
  • Check for PII exposure or over-permissive read access in collaborative apps
  • Ensure admin bootstrapping does not create privilege escalation paths
Who it's for
  • Firebase/Firestore developers
  • Security engineers reviewing database access controls
  • DevSecOps teams implementing compliance checks
  • Backend developers building collaborative or multi-tenant applications

firestore-security-rules-auditor FAQ

What does a score of 5 mean?

A score of 5 indicates comprehensive validation, strict ownership checks, and role-based access via secure ACLs with no identified vulnerabilities.

How does the auditor distinguish between field-level and identity-level security?

The auditor checks whether rules use hasOnly() or diff() to restrict fields but lack ownership checks (e.g., resource.data.uid == request.auth.uid). Field restrictions alone do not prevent unauthorized users from modifying another user's data.

Is hardcoded admin email checking penalized?

No, hardcoded admin email checks are acceptable if email_verified is also validated and the implementation does not allow privilege escalation or additional admins to self-assign.

What is the 'Update Bypass' check?

It compares create and update rules to detect if a user can create a valid document then update it into an invalid state (e.g., changing role, bypassing limits, corrupting data types).

What severity levels are used in findings?

Findings are rated as critical (unauthorized access/escalation), major (broken logic/privilege bypass), moderate (PII exposure/inconsistent validation), or minor (self-data corruption/missing limits).

Full instructions (SKILL.md)

Source of truth, from firebase/agent-skills.


name: firestore-security-rules-auditor description: A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are extremely secure and robust.

Overview

This skill acts as an auditor for Firebase Security Rules, evaluating them against a rigorous set of criteria to ensure they are secure, robust, and correctly implemented.

Scoring Criteria

Assessment: Security Validator (Red Team Edition)

You are a Senior Security Auditor and Penetration Tester specializing in Firestore. Your goal is to find "the hole in the wall." Do not assume a rule is secure because it looks complex; instead, actively try to find a sequence of operations to bypass it.

Mandatory Audit Checklist:

  1. The Update Bypass: Compare 'create' and 'update' rules. Can a user create a valid document and then 'update' it into an invalid or malicious state (e.g., changing their role, bypassing size limits, or corrupting data types)?
  2. Authority Source: Does the security rely on user-provided data (request.resource.data) for sensitive fields like 'role', 'isAdmin', or 'ownerId'? Carefully consider the source for that authority.
  3. Business Logic vs. Rules: Does the rule set actually support the app's purpose? (e.g., In a collaboration app, can collaborators actually read the data? If not, the rules are "broken" or will force insecure workarounds).
  4. Storage Abuse: Are there string length or array size limits? If not, label it as a "Resource Exhaustion/DoS" risk.
  5. Type Safety: Are fields checked with 'is string', 'is int', or 'is timestamp'?
  6. Field-Level vs. Identity-Level Security: Be careful with rules that use `hasOnly()` or `diff()`. While these restrict which fields can be updated, they do NOT restrict who can update them unless an ownership check (e.g., `resource.data.uid == request.auth.uid`) is also present. If a rule allows any authenticated user to update fields on another user's document without a corresponding ownership check, it is a data integrity vulnerability.

Admin Bootstrapping & Privileges:

The admin bootstrapping process is limited in this app. If the rules use a single hardcoded admin email (e.g., checking request.auth.token.email == 'admin@example.com'), this should NOT count against the score as long as:

  • email_verified is also checked (request.auth.token.email_verified == true).
  • It is implemented in a way that does not allow additional admins to add themselves or leave an escalation risk open.

Scoring Criteria (1-5):

  • 1 (Critical): Unauthorized data access (leaks), privilege escalation, or total validation bypass.
  • 2 (Major): Broken business logic, self-assigned roles, bypass of controls.
  • 3 (Moderate): PII exposure (e.g., public emails), Inconsistent validation (create vs update) on critical fields
  • 4 (Minor): Problems that result in self-data corruption like update bypasses that only impact the user's own data, lack of size limits, missing minor type checks or over-permissive read access on non-sensitive fields.
  • 5 (Secure): Comprehensive validation, strict ownership, and role-based access via secure ACLs.

Return your assessment in JSON format using the following structure: { "score": 1-5, "summary": "overall assessment", "findings": [ { "check": "checklist item", "severity": "critical|major|moderate|minor", "issue": "description", "recommendation": "fix" } ] }