0

I have created a public bucket using Firebase storage. The rules allow anyone to read the files. The issue is that with the public link, the user can use the partial URL to list everything in the directory. This can lead to IDOR vulnerability.

Any idea how to keep the files public but stop listing of directory items in a Firestore bucket?

4
  • Are you using ACLs or IAM to manage access? Edit your question with details on what is configured in Google Cloud Storage.
    – John Hanley
    Commented Nov 29, 2022 at 20:40
  • Can you you provide details asked by John Hanley?
    – Roopa M
    Commented Nov 30, 2022 at 6:32
  • I haven't configured IAM on GCP so I am assuming it should be ACL. The bucket was created using the Firebase UI which doesn't provide the option to select a particular access control method. Or maybe I don't know where to look for this.
    – toughyear
    Commented Nov 30, 2022 at 8:37
  • Firebase Storage is Cloud Storage. Go to the Google Cloud Console and check.
    – John Hanley
    Commented Nov 30, 2022 at 9:00

1 Answer 1

Reset to default
1

By default ACL on the bucket gives READ access, which leads to access objects by anyone. To prevent listing the objects, make sure users don't have an ACL on the bucket itself.

Run the following comment to achieve this

gsutil acl ch -d AllUsers gs://yourbucket

If you wish to use IAM configuration, apply the Cloud Storage Legacy - Storage Legacy Object Reader for allUser which does not include permissions to list objects in a bucket.

Not the answer you're looking for? Browse other questions tagged or ask your own question.