1

I have setup my storage security rules to only allow authenticated users to post images that are less than 3mb with the following rule:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
          // Only allow uploads of any image file that's less than 3MB
      allow write: if request.resource.size < 3 * 1024 * 1024
                   && request.resource.contentType.matches('image/.*');
      allow read, write: if request.auth != null;
    }
  }
}

However, I just tested from my client and I was able to upload a picture that is 14mb. I have given plenty of time for security rules to set.

How did I bypass this rule?

ErnestoC
  • 2,660
  • 1
  • 6
  • 19
Lukas Vis
  • 407
  • 5
  • 14

3 Answers3

2

Please see here:

In the case where multiple allow expressions match a request, the access is allowed if any of the conditions is true

So in your case:

allow read, write: if request.auth != null;

let the user to write files with any size.

I think this is the rule you want:

allow write: if request.auth != null &&
                request.resource.size < 3 * 1024 * 1024 && 
                request.resource.contentType.matches('image/.*');
allow read: if request.auth != null;
RafaelJan
  • 3,118
  • 1
  • 28
  • 46
2

While the other answers provided you with security rules you could use, it’s also good to add that you can test your security rules using the Firebase rules playground. Using this tool, you can tell exactly the resolution of each of your rules when tested against an event (create, read, update, delete).

I tested your security rules and received this output:

enter image description here

As you can see, while your file size limit rule is working fine, the broader allow write: if request.auth != null; rule is still letting your request go through. This is what the other answers pointed out and what is included in the documentation:

If any of the “allow” rules for the method are satisfied, the request is allowed. Additionally, if a broader rule grants access, rules grant access and ignore any more granular rules that might limit access.

ErnestoC
  • 2,660
  • 1
  • 6
  • 19
1

You also have allow read, write: if request.auth != null; which overrides the previous one. Try removing write from 2nd line:

match /{allPaths=**} {
  // Only allow uploads of any image file that's less than 3MB
  allow write: if request.resource.size < 3 * 1024 * 1024
                   && request.resource.contentType.matches('image/.*');
  allow read: if request.auth != null;
}
Dharmaraj
  • 47,845
  • 8
  • 52
  • 84