firebase-cms icon indicating copy to clipboard operation
firebase-cms copied to clipboard

Published 20 hours ago verified publisher icon alexabbott

Security, Pen Testing & Scaling

Open kmturley opened this issue 7 years ago • 4 comments

Need to check:

  • Inputs are sanitized/escaped (no xss)
  • File uploads are restricted to safe formats
  • CSP whitelist (only allow specific domains)
  • User/admin permissions are correct, no holes
  • Firebase read/write rules are correct, no holes
  • Firebase data schema is scalable (don't load whole lists at once, structure into separate lists)
  • Application can scale on firebase hosting, email sending, uploads
  • Estimate costs at scale, compared to static hosting, and Python hosting

kmturley avatar Sep 07 '17 15:09 kmturley

Some things to consider: https://github.com/angular/angular-cli/issues/3430 && https://github.com/angular/angular-cli/issues/6872

ankemp avatar Sep 08 '17 14:09 ankemp

@kmturley

  • Inputs are sanitized/escaped (no xss) DONE

  • File uploads are restricted to safe formats DONE - restricted on FE and in Storage Rules

  • CSP whitelist (only allow specific domains) DONE - had to add 'unsafe-inline' for CSS + 'unsafe-eval' for JS based on the articles @ankemp commented, then 'unsafe-inline' for JS because of CKeditor (WYSIWYG)

  • User/admin permissions are correct, no holes DONE

  • Firebase read/write rules are correct, no holes DONE

  • Firebase data schema is scalable (don't load whole lists at once, structure into separate lists) DONE

  • Application can scale on firebase hosting, email sending, uploads DONE -- email sending is via gmail, so it is limited. Scaling email sending would require use of third-party email service like Mailgun

  • Estimate costs at scale, compared to static hosting, and Python hosting TODO

alexabbott avatar Sep 08 '17 20:09 alexabbott

Getting some permissions errors now when I view the admin area:

  • /admins/-473942351
  • /approvals
  • /approvals/products
  • /users
  • /orders
  • etc

Am I an admin?

kmturley avatar Sep 12 '17 20:09 kmturley

@kmturley yes, you are a super-admin, but it says your account has not logged in yet? I've updated some of the admin functionality recently so you may have to re-login via /login

The paths you've listed should have /admin in front of them and a couple of them are invalid:

  • /admins/-473942351- INVALID - should be /admin/admins/edit-admin/ADMINKEY
  • /approvals - should be /admin/approvals
  • /approvals/products - INVALID - there is no separate view for product approvals, all approvals live at /admins/approvals
  • /users - INVALID - should be /admin/customers
  • /orders - should be /admin/orders

alexabbott avatar Sep 13 '17 15:09 alexabbott