AikidoSec
Support for Google Firestore
We believe that protecting Firebase Firestore does not add much value. MongoDB queries are JSON-like and can be built from raw user input. An attacker can inject operators ($ne, $gt, etc.) and change query behavior and Zen can spot these patterns. The Firestore client SDKs don’t expose a raw query language and queries are built through strongly typed methods (.where("field", "==", value) etc.). There’s no equivalent of $gt or $or an attacker can smuggle in via input, unless you write code that reinterprets arbitrary user JSON into Firestore queries yourself. Because Firestore queries are structurally constrained, there is no injection surface for a firewall to detect. The real risks come from business logic errors, like letting users indirectly choose fields/operators without validation. Please let us know if we are missing a use case and what you would expect Zen to do, since we don’t use Firestore ourselves.
