Firebase Storage Security Rules

Question

I am using fire base storage for my application which connects to front end. My current storage rules for only of the bucket folders is :

match {groupID}/{userId}/{image} {
        allow read: if isValidProvider() && request.auth.token.groupId == groupID && request.auth.uid == userId;
        allow write: if isValidProvider() && request.auth.uid == userId &&  request.auth.token.groupId== groupID && isImageValid() && isValidImageExtension(image);
      }
    }  

Functions are as below :

function isImageValid(){
    return (request.resource.contentType.matches('image/png') ||
        request.resource.contentType.matches('image/jpg') ||
        request.resource.contentType.matches('image/jpeg') ||
        request.resource.contentType.matches('image/webp') ||
          request.resource.contentType.matches('image/gif'));
        
  }



  function isValidImageExtension(image) {
  return (image.matches('.*[.]png') || 
      image.matches('.*[.]jpeg') ||
      image.matches('.*[.]jpg') ||
      image.matches('.*[.]webp')||
      image.matches('.*[.]gif'));
  }

My intention is the read access is given on groupID basis and write access is given on user ID basis. Also, in the folder - it should only accept images with formats - png/jpeg/jpg/webp/gif

However, while trying to test this via postman - I am able to add a ndjson file or .py file. For Example - The API call ends with - test.jpg but in the body - binary I am adding a .py file. Also, in the storage the .py is saved as type - image/jpg.

This is being added to the storage.

How can I restrict only image files be added from backend ?

Answer 1

The documentation on uploading files is clearest on how contentType is determined:

The putFile() method automatically infers the MIME type from the File extension, but you can override the auto-detected type by specifying contentType in the metadata. If you do not provide a contentType and Cloud Storage cannot infer a default from the file extension, Cloud Storage uses application/octet-stream .

So Firebase does not look at the actual contents of the file to set determine the content type.

Instead the content type is derived from the filename extension, and you can override that by explicitly setting the content type in the metadata when you upload the file.

Since you don't set metadata, the content type is determined from the .jpg extension in the file name. The Python contents are not used in determining that.

---

If you want a stricter check on content type, consider running a Cloud Function that is triggered on an upload and use a file type sniffer that looks at the actual contents of the file to validate the type. You could then either remove the file if its contents don't match its type, or for example add a verified property to the metadata that you can then check in clients.

Answer 2

I have found a way to validate here . Does this help you?