Injection Flaws in Koa with Firestore
Injection Flaws in Koa with Firestore — how this specific combination creates or exposes the vulnerability
Injection flaws occur when untrusted data is interpreted as part of a command or query. In a Koa application using Google Cloud Firestore, the risk centers on how queries are constructed from user-supplied input. Firestore supports parameterized queries and strict validation for its native SDK, but developers can introduce injection-like behavior by dynamically building queries using concatenation or by passing unsanitized input into field paths, collection names, or raw Firestore JavaScript SDK methods.
Koa’s middleware architecture means request parameters, query strings, and body values are readily available. If these values are used directly to construct Firestore references or query constraints, an attacker may be able to probe data structures or force reads that should be restricted. For example, using user input to determine a document path such as db.collection(usersInput).doc(docId) can expose collections that should remain private, effectively turning the application into an unauthorized enumeration interface.
Another scenario involves the use of JavaScript evaluation patterns to dynamically build filter objects. Consider an endpoint that builds an array of filters based on URL query parameters:
// Risky: building query constraints from raw user input
const filters = [];
if (req.query.field) filters.push({ field: req.query.field, op: '==', value: req.query.value });
const snapshot = await db.collection('products').where(filters[0].field, filters[0].op, filters[0].value).get();
If req.query.field is not strictly validated, an attacker might supply a path such as __proto__ or other sensitive document fields, leading to unintended data access patterns. Although Firestore does not support traditional SQL-style injection, the misuse of dynamic keys and unsanitized input can result in over-permissive reads, privilege escalation across user data, and exposure of sensitive fields. These patterns align with the BOLA/IDOR and Property Authorization checks in middleBrick’s 12 security tests, which specifically look for insecure direct object references and missing field-level authorization in query construction.
Additionally, Firestore’s index management and composite index requirements can inadvertently reveal schema details when error messages expose missing index errors based on user-controlled ordering or filtering. Attackers can use these errors to infer collection structures, a form of information disclosure that complements injection-style enumeration. The combination of Koa’s flexible routing and Firestore’s schema-on-read model means that careful input validation and strict query design are essential to prevent abuse.
Firestore-Specific Remediation in Koa — concrete code fixes
Remediation focuses on strict input validation, avoiding dynamic field names, and using Firestore’s built-in protections. Always treat user input as untrusted and never directly interpolate values into collection or document paths. Use allowlists for expected values and enforce type checks before constructing queries.
1. Use parameterized collection names with an allowlist
Define a set of valid collections and verify incoming values against it:
const validCollections = new Set(['products', 'categories', 'orders']);
app.use(async (ctx, next) => {
const { collectionName } = ctx.params;
if (!validCollections.has(collectionName)) {
ctx.status = 400;
ctx.body = { error: 'Invalid collection' };
return;
}
const collectionRef = db.collection(collectionName);
// proceed with safe reference
await next;
});
2. Avoid dynamic field paths; validate field names explicitly
Do not allow user input to dictate field names in where clauses. Instead, map user-friendly parameters to known fields:
const fieldMap = {
name: 'productName',
category: 'categoryId',
price: 'price'
};
app.use(async (ctx) => {
const userField = ctx.query.field; // e.g., "name"
const userValue = ctx.query.value;
const firestoreField = fieldMap[userField];
if (!firestoreField) {
ctx.status = 400;
ctx.body = { error: 'Invalid field' };
return;
}
const snapshot = await db.collection('products').where(firestoreField, '==', userValue).get();
ctx.body = snapshot.docs.map(d => d.data());
});
3. Use Firestore Transactions for read-modify-write patterns
When updates are necessary, use transactions to ensure consistency and avoid injection through concatenated update paths:
const docRef = db.collection('accounts').doc(userId);
await db.runTransaction(async (transaction) => {
const doc = await transaction.get(docRef);
if (!doc.exists) {
throw new Error('Document does not exist');
}
// Safe: using a fixed field name, not user input
transaction.update(docRef, { balance: doc.data().balance + amount });
});
4. Leverage Firestore security rules for server-side enforcement
Even with input validation in Koa, define security rules that restrict reads and writes to authorized user scopes. For user-specific data, use request.auth to enforce ownership:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /products/{productId} {
allow read: if request.auth != null && request.auth.uid == request.resource.data.ownerId;
allow write: if request.auth != null && request.auth.uid == request.resource.data.ownerId;
}
}
}
These rules act as a final safeguard, ensuring that even if an attacker bypasses Koa-level checks, Firestore itself will reject unauthorized operations. Combining strict input handling in the application layer with robust security rules in Firestore provides a defense-in-depth approach that aligns with the remediation guidance provided by middleBrick’s findings.