Skip to content

@firebase/rules-unit-testing does not test storage "update" security rules (always evaluates "create" rule, even if file is being updated not created) #5079

Closed
@lovelle-cardoso

Description

@lovelle-cardoso

[REQUIRED] Describe your environment

  • Operating System version: Windows 10 Home Version 20H2, Build 19042.1052
  • Browser version: N/A (using mocha and @firebase/rules-unit-testing testing library)
  • Firebase SDK version: @firebase/rules-unit-testing 1.3.8
  • Firebase Product: storage, storage emulator

[REQUIRED] Describe the problem

It is not currently possible to unit test "update" storage security rules using @firebase/rules-unit-testing. When you try to overwrite an existing file, the security rules always check the "create" rule instead of the "update" rule.


Steps to reproduce:

Step 1: Create a storage.rules file with rules that allow creating but not updating

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    allow read:  if true;
    allow write:  if false;
    match /folder/{fileId} {
      allow create: if true;
    }
  }
}

Step 2: Write a unit test that checks that creates are allowed and a unit test that checks that updates are denied

import * as firebase from "@firebase/rules-unit-testing";
process.env.FIREBASE_STORAGE_EMULATOR_HOST = "localhost:9199";
(global as any).XMLHttpRequest = require("xhr2");

describe("storage update bug", () => {
  it("can create", async () => {
    const client = firebase.initializeTestApp({  storageBucket: "test-bucket" }).storage();
    // Create 5mb file
    const file = Buffer.allocUnsafe(5000000);
    await firebase.assertSucceeds(
      client.ref().child("folder/dummy").put(file).then()
    );
  });
  it("CANNOT update", async () => {
    const client = firebase.initializeTestApp({  storageBucket: "test-bucket" }).storage();
    // Create 5mb file
    const createFile = Buffer.allocUnsafe(5000000);
    await firebase.assertSucceeds(
      client.ref().child("folder/dummy").put(createFile).then()
    );
    // Update 5mb file (should fail, but does not fail!)
    const updateFile = Buffer.allocUnsafe(5000000);
    await firebase.assertFails(
      client.ref().child("folder/dummy").put(updateFile).then()
    );
  });
});

[REQUIRED] Expected behavior

Should throw a permission denied error. And "CANNOT update" test should pass.


[REQUIRED] Actual behavior

No permission denied error is thrown. The client is allowed to update the file despite the fact that the rules say they should not be allowed to update the file. And the "CANNOT update" test fails.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions