How to stop listing all items in a Firebase Storage public bucket?
Question
I have created a public bucket using Firebase storage. The rules allow anyone to read the files. The issue is that with the public link, the user can use the partial URL to list everything in the directory. This can lead to IDOR vulnerability.
Any idea how to keep the files public but stop listing of directory items in a Firestore bucket?
1 answers
solution1
1 ACCPTED 2022-11-30 09:23:57
By default ACL on the bucket gives READ access, which leads to access objects by anyone. To prevent listing the objects, make sure users don't have an ACL on the bucket itself.
Run the following comment to achieve this
gsutil acl ch -d AllUsers gs://yourbucket
If you wish to use IAM configuration, apply the Cloud Storage Legacy - Storage Legacy Object Reader for allUser which does not include permissions to list objects in a bucket.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.