:star: Add Firebase provider for security scanning by philipbalinov · Pull Request #7128 · mondoohq/mql

philipbalinov · 2026-04-08T17:14:29Z

Summary

New firebase provider that checks Firebase projects for security misconfigurations via public HTTP endpoints
Auto-discovers Firebase config from domains by scanning /__/firebase/init.js, inline HTML, and linked JS bundles
Also supports explicit --project-id and --api-key flags for direct access
All checks are read-only — no write probes

Resources

Resource	What it checks
`firebase.project`	Root — project ID, API key, auth domain, domain
`firebase.project.realtimeDatabase`	Public read access and structure exposure via `{project}.firebaseio.com/.json`
`firebase.project.authConfig`	Authorized domains, sign-in providers, anonymous auth via Identity Toolkit API
`firebase.project.hosting`	`.well-known/apple-app-site-association` and `assetlinks.json`
`firebase.project.storage`	Public bucket listing via Firebase Storage API

Usage

# With explicit credentials
mql shell firebase --project-id my-project --api-key AIzaSy...
> firebase.project.authConfig { authorizedDomains signInProviders anonymousAuthEnabled }

# With domain auto-discovery
mql shell firebase --domain myapp.web.app
> firebase.project { * }

Test plan

Build provider: make providers/build/firebase && make providers/install/firebase
Test with a known Firebase project ID + API key
Test domain auto-discovery against a Firebase-hosted site
Test domain auto-discovery against a non-Firebase-hosted site that uses Firebase Auth
Verify authConfig.authorizedDomains returns the expected domain list
Verify unreachable/non-Firebase domains fail with a clear error message

🤖 Generated with Claude Code

New provider that checks Firebase projects for security misconfigurations via public HTTP endpoints. Supports auto-discovery of Firebase config from domains (init.js, inline HTML, JS bundles) or explicit --project-id/--api-key. Resources: - firebase.project: root resource with project metadata - firebase.project.realtimeDatabase: checks public read access - firebase.project.authConfig: authorized domains, sign-in providers, anonymous auth - firebase.project.hosting: .well-known paths (Apple/Android app links) - firebase.project.storage: public bucket listing Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

github-actions · 2026-04-08T17:24:17Z

Test Results

6 119 tests ±0 6 115 ✅ ±0 2m 9s ⏱️ +7s
439 suites ±0 4 💤 ±0
35 files ±0 0 ❌ ±0

Results for commit 70bb92d. ± Comparison against base commit e6ed809.

♻️ This comment has been updated with latest results.

mondoo-code-review

Firebase provider exposes API key in resource fields and has HTTP response body leaks from unclosed/late-closed readers.

tas50 · 2026-04-08T17:27:22Z

A few other places to add this provider:

DEVELOPMENT.md example block
providers/defaults.go: required to make it actually work

- Fix RTDB check: drain response body before close for connection reuse, continue to next URL variant on 404 instead of breaking - Fix shallow query response body leak: use defer immediately - Fix hosting well-known checks: read and close inline instead of defer to release connections promptly - Remove dead code in auth config parsing (unused signIn block) - Tighten projectId regex to match GCP project ID format (6-30 chars, lowercase, starts with letter) - Cap JS bundle scanning to 15 URLs to bound network I/O - Add redirect limit (5 hops) on HTTP client for safety when scanning arbitrary domains Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Superseded by new review

mondoo-code-review

Most previous issues are fixed; response bodies still not drained before close in some paths.

Switch all child resources (realtimeDatabase, authConfig, hosting, storage) from CreateResource in computed methods to the standard init function pattern. This fixes "cannot convert primitive with NO type information" errors caused by data not surviving gRPC serialization between provider subprocess and executor. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

mondoo-code-review

Refactors child resources to use init functions for proper gRPC serialization; minor HTTP body drain issue persists.

New attack vector checks for the Firebase provider: - authConfig.emailEnumerationProtection: detects if email enumeration protection is enabled (parses emailPrivacyConfig from Identity Toolkit response, falls back to probing signInWithPassword error messages) - hosting.sourceMapExposed + exposedSourceMaps: scans JS bundles linked from the domain for publicly accessible .js.map files that leak source - firebase.project.firestore: checks if the default Firestore database is publicly readable and extracts exposed collection IDs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

mondoo-code-review

New email enumeration probe makes active sign-in attempts against target Firebase projects; source map and other HTTP responses leak connections when not fully drained.

Firestore rules often block document reads but forget to restrict listCollectionIds. The new probe POST to :listCollectionIds reveals top-level collection names even when GET /documents returns 403. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Superseded by new review

mondoo-code-review

Firestore listCollectionIds probe marks database as publicly readable even when only collection names (not documents) are exposed.

- Add drainAndClose helper and use it everywhere to ensure HTTP connection reuse (response bodies must be fully read before close) - Replace signInWithPassword probe with createAuthUri for email enumeration detection (read-only, no auth audit log writes) - Add structureExposed field to Firestore resource to distinguish collection ID leaks from actual document read access - Fix checked counter to only increment on actual HTTP requests (skipped CDN scripts no longer count toward the limit) - Document apiKey field semi-public nature in .lr schema Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

mondoo-code-review

Firebase Firestore scanning now correctly separates structure exposure from document readability

mondoo-code-review · 2026-04-16T20:34:21Z

+					// Merge with any collections found from document reads
+					seen := map[string]bool{}
+					for _, c := range exposedCollections {
+						seen[c.(string)] = true


🟡 warning — (Persists from previous review) c.(string) is an unsafe type assertion on []interface{} elements. While current code only appends strings, this is fragile — a future change could introduce a non-string element and cause a panic. Use a safe assertion:

for _, c := range exposedCollections { if s, ok := c.(string); ok { seen[s] = true } }

github-actions · 2026-04-16T20:35:03Z

@check-spelling-bot Report

🔴 Please review

See the 📂 files view, the 📜action log, or 📝 job summary for details.

Unrecognized words (1)

assetlinks

These words are not needed and should be removed

BYOS

To accept these unrecognized words as correct and remove the previously acknowledged and now absent words, you could run the following commands

... in a clone of the git@github.com:mondoohq/mql.git repository
on the feat/firebase-provider branch (ℹ️ how do I use this?):

curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c/apply.pl' |
perl - 'https://github.com/mondoohq/mql/actions/runs/24532582877/attempts/1' &&
git commit -m 'Update check-spelling metadata'

Available 📚 dictionaries could cover words (expected and unrecognized) not in the 📘 dictionary

This includes both expected items (329) from .github/actions/spelling/expect.txt and unrecognized words (1)

Dictionary	Entries	Covers	Uniquely
cspell:node/dict/node.txt	891	7	3
cspell:fullstack/dict/fullstack.txt	419	4	3
cspell:python/src/python/python-lib.txt	2417	7	1
cspell:php/dict/php.txt	1689	4	1
cspell:python/src/python/python.txt	392	3

Consider adding them (in .github/workflows/spell-check.yaml) in jobs:/spelling: to extra_dictionaries:

            cspell:node/dict/node.txt
            cspell:fullstack/dict/fullstack.txt
            cspell:python/src/python/python-lib.txt
            cspell:php/dict/php.txt
            cspell:python/src/python/python.txt

To stop checking additional dictionaries, add (in .github/workflows/spell-check.yaml):

check_extra_dictionaries: ""

Warnings ⚠️ (1)

See the 📂 files view, the 📜action log, or 📝 job summary for details.

⚠️ Warnings	Count
⚠️ duplicate-pattern	5

See ⚠️ Event descriptions for more information.

If the flagged items are false positives

If items relate to a ...

binary file (or some other file you wouldn't want to check at all).

Please add a file path to the excludes.txt file matching the containing file.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).
well-formed pattern.

If you can write a pattern that would match it,
try adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.