I have the following code in storage rules , but I cannot get it to work right, I need to prevent storing items other than pngs in to storage ? , but it is erroring out.
// Add to storage
allow write:
if request.auth != null // Authorized
&& request.auth.uid == userId // Owner
&& request.resource.size < 1 * 1024 * 1024 // Uploaded item must be less than 1mb !
&& request.resource.contentType.matches('image/.*'); // only image !!
// && request.resource.contentType.matches('image/.png'); // only PNG !!
try with .png or .PNG. It checks if the filename ends with .png
// Add to storage
allow write:
if request.auth != null // Authorized
&& request.auth.uid == userId // Owner
&& request.resource.size < 1 * 1024 * 1024 // Uploaded item must be less than 1mb !
&& request.resource.contentType.matches('image/.*'); // only image !!
&& request.resource.name.matches(".*\\.png"); // only PNG !!
Related
I am trying to set rules that will allow only users to create and update folders in this path: UsersMedia/folderName , where folderName is the userId .
Then I would like to not allow uploads to any other path in the Storage other then this.
service firebase.storage {
match /b/{bucket}/o {
// first rule
match /{allPaths=**} {
allow write: if false;
allow delete: if false;
}
match /UsersMedia/{userId} {
allow create, update: if (request.auth.uid == userId) && resource.size < 25000 * 1024; //25Mb;
allow delete:if false;
allow read;
}
This works only if i set the first rule to allow write, if I remove the first rule it won't work at all.
Also, the rule of the size and the userId just won't take place, so i can upload files larger than the max.
What's happening ?
Turns out the first rule will take over the other rules.
So I removed it.
Then I had a mistake and I fixed it with :
if (request.auth.uid == userId) && request.resource.size < 25 * 1024 * 1024;
To limit file size.
Now it all works.
The question is specific to a pattern that Flawfinder reports:
The snippet
unsigned char child_report;
...
auto readlen = read(pipefd[0], (void *) &child_report, sizeof(child_report));
if(readlen == -1 || readlen != sizeof(child_report)) {
_ret.failure = execute_result::PREIO ; // set some flags to report to the caller
close(pipefd[0]);
return _ret;
}
...
int sec_read = read(pipefd[0], (void *) &child_report, sizeof(child_report));
child_report = 0; // we are not using the read data at all
// we just want to know if the read is successful or not
if (sec_read != 0 && sec_read != -1) { // if success
_ret.failure = execute_result::EXEC; // it means that the child is not able to exec
close(pipefd[0]); // as we set the close-on-exec flag
return _ret; // and we do write after exec in the child
}
I turned out that Codacy (therefore flawfinder) reports such issues on both read:
Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20).
I don't understand.
There is no loop.
In the second case we are not using the read data at all
This is not typical C string, and we don't rely on the ending '\0'
Is there any flaw that I'm not aware of in the code?
I finally conclude this should be a false positive. I check Flawfinder's code and it seems that it is basically doing pattern matching.
https://github.com/david-a-wheeler/flawfinder/blob/293ca17d8212905c7788aca1df7837d4716bd456/flawfinder#L1057
I'm trying to create a Security Rule based upon request.time as given in an example on AngularFirebase website.
My function is
function isThrottled() {
return request.time < resource.data.lastUpdate + duration.value(1, 'm')
}
Where I'm trying to allow update: if isThrottled() == false
However, when I try to update a document with this rule, it fails due to time being not defined on the object.
Error: simulator.rules line [169], column [12]. Property time is
undefined on object.
Shouldn't every request have a time or TimeStamp attached to it? Is this something to do with how I'm initializing my Cloud Functions or client app?
Screenshots below:
EDIT
A snippet for the rest of the update security rules are:
service cloud.firestore {
match /databases/{db}/documents {
match /users/{userId} {
match /username/{id} {
allow update: if isSelf(userId)
&& usernameAvailable(incomingData().username)
&& incomingData().username is string
&& incomingData().username.size() <= 25
&& incomingFields().size() == 1
&& isThrottled() == false;
}
}
function incomingData() {
return request.resource.data
}
function isThrottled() {
return request.time < resource.data.lastUpdate + duration.value(1, 'm')
}
function incomingFields() {
return incomingData().keys()
}
function isSelf(userId) {
return userId == currentUser().uid;
}
function usernameAvailable(username) {
return !exists(/databases/$(db)/documents/usernames/$(username));
}
}
}
The username collection is a subcollection under each user document (in the users root collection. Each username document only has 1 field called username that users can update).
This might not be useful for your case in particular, but I had the same error when checking a custom claim on the token object.
Before accessing the field you can use in to check whether the property exists on the object. This code generates the error if agent is not defined:
allow write: if request.auth != null && request.auth.token.agent == true;
This code works fine if agent is not defined:
allow write: if request.auth != null && "agent" in request.auth.token && request.auth.token.agent == true;
I am working on a project and there is a custom module in that which have the drupal redirection code in it here is the code :
if (empty($_GET['destination'])
&& isset($_COOKIE["abc"])
&& $_COOKIE["abc"]<>''
&& ($_POST['form_id'] != 'user_pass_reset'))
{
$_GET['destination'] = "xyz" ;
}
}
Can anyone please explain the 3rd line of code or maybe all of it. Thanks
I have added comments to the source. <> is the same as !=. See PHP Comparison Opperators.
if (empty($_GET['destination']) //Check if $_GET['destination'] is empty.
&& isset($_COOKIE["abc"]) //Check if $_COOKIE["abc"] is not NULL.
&& $_COOKIE["abc"]<>'' //Check if $_COOKIE["abc"] does not equal an empty string.
&& ($_POST['form_id'] != 'user_pass_reset')) //Check if $_POST['form_id'] is not 'user_pass_reset'
{
$_GET['destination'] = "xyz" ; //Set $_GET['destination'] to "xyz"
}
}
should be modify a little bit in second line
if (empty($_GET['destination']) //Check if $_GET['destination'] is empty.
&& isset($_COOKIE["abc"]) //Check if $_COOKIE["abc"] is EXISTS.
&& $_COOKIE["abc"]<>'' //Check if $_COOKIE["abc"] does not equal an empty string.
&& ($_POST['form_id'] != 'user_pass_reset')) //Check if $_POST['form_id'] is not 'user_pass_reset'
{
$_GET['destination'] = "xyz" ; //Set $_GET['destination'] to "xyz"
}
}
I have a 1v1 game that I am updating to 3 players (eventually 4) and I am running into an issue with player tracking when the user is playing against 2 computer players.
I have a Game NSObject that handles all of the major code for the gameplay, and also controls the actions of the computer players. In the past, I have been good with 2 properties in Game.h (User and Opponent), and now I have 3 (User, Opponent, Opponent2). Declared like the following:
#property (retain) Player *user;
The problem comes in when I need to use a method that controls computer player actions. As an example, when the computer player needs to bid, it must know the bids and some other info about it's opponents. A snippet of the old code is:
- (void)computerBiddingObjects {
// ... other stuff
if (_opponentPoints == 110 && _userPoints >= 90 && _userDidBid != YES) {
bid = bidTwenty;
} else if (_opponentPoints == 115 && _userPoints >= 90 && _userDidBid != YES) {
bid = bidTwentyFive;
}
// ... other stuff
}
In order to get information for the opposing players, a thought I had was to add 2 new properties to Player.h in order to track each player's opponents (opponent1 and opponent2). My question is, if I set the properties for each Player as in:
_opponent.opponent = _user;
_opponent.opponent2 = _opponent2;
Can I refer to them and/or set their individual properties in both contexts? Would these statements be equivalent given the above:
_opponent.opponent.didBid = YES;
_user.didBid = YES;
Also, could I access the Player objects properties like this new version of the bidding code snippet?
- (void)computerBiddingObjectsForOpponent:(Player *)opponent {
// ... other stuff
if (opponent.points == 110 && self.currentBid < bidTwenty && ((opponent.opponent1.points >= 90 && opponent.opponent1.didBid != YES) || (opponent.opponent2.points >= 90 && opponent.opponent2.didBid != YES))) {
bid = bidTwenty;
} else if (opponent.points == 115 && self.currentBid < bidTwentyFive && ((opponent.opponent1.points >= 90 && opponent.opponent1.didBid != YES) || (opponent.opponent2.points >= 90 && opponent.opponent2.didBid != YES))) {
bid = bidTwentyFive;
}
// ... other stuff
opponent.bid = bid.
}
Am I way off base/off track? Is there an easier way to do this?
This is indeed equivalent.
But ...
The didBid will be set by the other players as well (as they hold the same reference to that player, overwriting what each player has set.
You are creating a retain cycle you might need to break manually (or set the opponents properties as weak).
It might be best if each player will keep a "Strategy" object for each opponent, and that strategy will have a reference to the player. This way, each player may have different strategy against any other player.