Firebase Security rule to restrict up to some characters of a string - firebase

How to restrict user to save string that is above some limit?
I am getting Invalid property access: target is not an object if try to validate in security rules with length property of a string.

The Firebase Security Rules now support a length property for strings, as well as several other string methods including replace(), contains(), toUpperCase(), toLowerCase(), etc.
See https://firebase.google.com/docs/reference/security/database/#string_properties for more information.

The syntax you can use in rules are detailed here.
Unfortunately, being able to perform string operations (match, length, etc) are not available at this time. SEE ROB'S ANSWER BELOW, THIS FEATURE IS NOW AVAILABLE
I know this is at least on the Firebase radar because I requested a similar feature some time ago.
If you explain the exact details of what you want to solve, it will allow for a much more specific answer; for now I'll give you some general ideas.
Use a privileged app
Monitor Firebase with a privileged application and whenever a value is written to the specific fields you need string validation on, check it manually and delete it if invalid.
Naturally, client validation will take care of all valid use cases. So this is only needed to prevent malicious insertions.
Alternately, you can approach this more as an audit. Just email any invalid strings to some address to be reviewed. Since the client is going to make sure the string is valid before insertion, you are once again just looking at bugs or malicious behaviors.
Delegate writing to an API
Instead of letting the client write privileged data, send it to an API and have the API write that data--making it read only to the client.
Don't worry about it
Do you really need to validate the length? Is it sufficient to simply look and see if it's a string? Is it really a concern that someone would "hack" the contents of a string? Probably not. It could be, but probably not.
And if it is a concern, can it be solved by another avenue? If there is a server involved, just use the process outlined above.

Related

How does one expose constants in a java google app engine Endpoints API?

Simple question -- how do you expose constants in a java google app engine Endpoints API?
e.g
public static final int CODE_FOO = 3845;
I'd like the client of the Endpoints to be able to match on CODE_FOO rather than on 3845. I'll end up doing enum wrappers (which probably is better anyway) but I'm just starting to be curious if this is even doable? Thx
Note that this isn't a full answer but here is a workaround: in Android Studio, create a very light-weight "common" java project and shove anything you want to keep in sync there such as constants as well as common types that you want exposed (e.g. an enum representing all possible return / error codes, etc).
This way you should get pretty decent compiler-time safety and keep these guys in sync.
Please feel free to comment if anyone has better suggestions.
This is unfortunately a Law of Information (ahem). If you have a message protocol you defined, both sides of the interaction need to be aware of the messages that could be passed. There's no other way for the client to be aware of what it needs to respond to. Ajax libraries hard-code the number "200" to be able to detect a successful request, as one example.
Yes, just use a switch statement on strings inside your client code. Or, you could use a dictionary of strings pointing to functions and just call the function after de-referencing the dictionary given the string you got.

Is it possible to read Evernote content without having to authenticate?

What is the easiest, lowest-friction method to read a note programmatically in Evernote? Given that you can share notes by simply generating a unique URL to them, I find it curious that you can't do this programatically as well.
Put another way, I can read notes from my browser without having to authenticate to Evernote. Can I do this programmatically as well? If I have a URL with GUID, can I use this to request the note via code and read it that way?
I attempted to do this -- to use the "Share" URL to read the note. It didn't work, for some reason. When requested programmtically, I was getting 404s for some reason, which makes me think Evernote has some safeguards against using it in this method.
Is there a way to do this -- to read note content via some service without having to authenticate?
Well actually you can. You just need to use the getNote method with an empty string as the first argument (auth token).

Understanding "Not permitted. Untrusted code may only update documents by ID." Meteor error

In Meteor 0.5.8 the following change was introduced:
Calls to the update and remove collection functions in untrusted code
may no longer use arbitrary selectors. You must specify a single
document ID when invoking these functions from the client (other than
in a method stub).
So now if you want to push arbitrary updates to the db from the client console, you have to do something like:
People.update({_id:People.findOne({name:'Bob'})['_id']}, {$set:{lastName:'Johns'}});
Instead of:
People.update({name:'Bob'}, {$set:{lastName:'Johns'}});
I thought that this security issue controlled by setting the Meteor.Collection.allow and .deny functions in conjunction with the autopublish and insecure packages. I liked being able to interact with the db from the Chrome JavaScript Console.
What is the motivation for the changes in Meteor 0.5.8?
From the Meteor blog:
Changes to allow/deny rules
Starting in 0.5.8, client-only code such as event handlers may only update or remove a single document at a time, specified by _id. Method code can still use arbitrary Mongo selectors to manipulate any number of documents at once. To run complex updates from an event handler, just define a method with Meteor.methods and call it from the event handler.
This change significantly simplifies the allow/deny API, encourages better application structure, avoids a potential DoS attack in which an attacker could force the server to do a lot of work to determine if an operation is authorized, and fixes the security issue reported by #jan-glx.
To update your code, change your allow and deny handlers to take a single document rather than an array of documents. This should significantly simplify your code. Also check to see if you have any update or remove calls in your event handlers that use Mongo selectors (this is quite rare), and if so, move them into methods. For details, see the update and remove docs.
So basically, from my point of view, you almost never want the behavior to be able to update and delete arbitrary sets of documents from the client without any more specific knowledge (like the id of the document).
When prototyping—which I'm guessing is what you're doing—I suppose it can get in the way, but then if you ever want to get your code into production, I believe the pros outweigh the cons. This also comes down to the security declarations (allow and deny) being easier to specify after this change.
Hope that gave you some more information.

So why should we use POST instead of GET for posting data? [duplicate]

This question already has answers here:
Closed 13 years ago.
Possible Duplicates:
How should I choose between GET and POST methods in HTML forms?
When do you use POST and when do you use GET?
Obviously, you should. But apart from doing so to fulfil the HTTP protocol, are there any reasons to do so? Less overhead? Some kind of security thing?
because GET must not alter the state of the server by definition.
see RFC2616 9.1.1 Safe Methods:
9.1.1 Safe Methods
Implementors should be aware that the
software represents the user in their
interactions over the Internet, and
should be careful to allow the user to
be aware of any actions they might
take which may have an unexpected
significance to themselves or others.
In particular, the convention has been
established that the GET and HEAD
methods SHOULD NOT have the
significance of taking an action other
than retrieval. These methods ought to
be considered "safe". This allows user
agents to represent other methods,
such as POST, PUT and DELETE, in a
special way, so that the user is made
aware of the fact that a possibly
unsafe action is being requested.
If you use GET to alter the state of the server then a search engine bot or some link prefetching extension in a web browser can wreak havoc on your site and (for example) delete all user data just by following links to your site.
There is a nice paper by the W3C about this: URIs, Addressability, and the use of HTTP GET and POST.
1.3 Quick Checklist for Choosing HTTP GET or POST
Use GET if:
The interaction is more like a question (i.e., it is a safe operation such as a query, read operation, or lookup).
Use POST if:
The interaction is more like an order, or
The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or
The user be held accountable for the results of the interaction
Because, if you use GET to alter state, Google can delete your stuff.
When do you use POST and when do you use GET?
How should I choose between GET and POST methods in HTML forms?
If you accept GETs to perform write operations then a malicious hacker could inject somewhere links to perform an unauthorized operation. Your user clicks on a link - and something is deleted from a database. Or maybe some amount of money is transferred away from the user's account if he's still logged in to their online banking.
http://superbank.com/TransferMoney?amount=1000&recipient=2342524
Send a malicious email with an embedded image referencing this link, and as soon as the document is opened, something funny has happened behind the scenes.
GET is limited by the length of URL the browser/server can handle. This used to be as short as 256 characters.
There is atleast one situation where you want a GET to change data on the server. That is when a GET returns data, and you need to record which data was given to a user and when it was given.
If you use complex data types then it must be in a POST it cannot be in a GET. For example testing a WCF web service in a browser can only be done when the contract uses simple data types.
Using GET and POST where it is expected helps to keep your program understandable.
When you use POST, you can see the information being "posted" in the address-bar of the web browser. This is [apparently] not the case when you use the GET method.
This article was somewhere on http://www.w3schools.com/ Once I've found the exact page it was on, I'll repost. :-)

Security with QueryString values in Asp.net MVC

How do you properly ensure that a user isnt tampering with querystring values or action url values? For example, you might have a Delete Comment action on your CommentController which takes a CommentID. The action url might look like /Comments/Delete/3 to delete the comment with the id 3.
Now obviously you dont want anyone to be able to delete comment 3. Normally on the owner of the comment or an admin has permission to do so. Ive seen this security enforced different ways and would like to know how some of you do it.
Do you make multiple Database calls to retrieve the comment and check that the author of the comment matches the user invoking the delete action?
Do you instead pass the CommentID and the UserID down to the stored procedure who does the delete and do a Delete where UserID and CommentID equal the values passed in?
Is it better to encrypt the query string values?
You don't.
It is a cardinal rule of programming, especially in this day and age, that you never trust any input which comes from the user, the browser, the client, etc.
It is also a cardinal rule of programming that you should probably not try to implement encryption and security yourself, unless you really know what you are doing. And even if you do know what you are doing, you will only remain one step ahead of the tard-crackers. The smart ones are still going to laugh at you.
Do the extra query to ensure the logged-in user has the right set of permissions. That will make everyone's lives just that much simpler.
Enrypting and decrypting query params is a trivial process and there are some great examples of how to do so using an HttpModule here on StackOverflow.
"You Don't", "You can't", or "It's not easy" are simply not acceptable responses in this day and age...
Vyrotek: The input method is not important. GET, POST, encrypted/obfuscated GET - no real difference. No matter the way your application receives commands, to perform an administrative action it must make sure that the issuing user is allowed to do the stuff he wants. The permission check must take place AFTER the command is received and BEFORE it gets executed. Otherwise it's no security at all.
Consider using technique outlined in Stephen Walther's article Tip #46 – Don’t use Delete Links because they create Security Holes which uses [AcceptVerbs(HttpVerbs.Delete)]
You can also allow only Post requests to Delete controller action by using the Accept Verbs attribute as seen below.
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Delete(int? id)
{
//Delete
}
Then you could also use the antiforgery token as discussed here:
http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
I've done funky things take the querystring, compress it, Base64 or just hex encode it, so that "commentid=4&userid=12345" becomes "code=1a2b23de12769"
It's basically "Security through obscurity" but it does make a lot of work for someone trying to hack the site.
You cannot easily do this.
I have fond memories of a site that used action urls to do deletes.
All was good until they started search crawling the intranet.
Ooops, goodbye data.
I would recommend a solution whereby you do not use querystrings for anything you do not wish to be edited.

Resources