Use After Free in Actix with Firestore

Use After Free occurs when memory is accessed after it has been deallocated. In an Actix web service that integrates with Google Cloud Firestore, this typically arises from improper handling of asynchronous tasks and references to Firestore documents or clients. Actix is a Rust actor framework that relies on message passing and async execution, and if a Firestore client or document handle is dropped while an in-flight async operation still holds a reference, the operation may attempt to use freed memory when it later completes.

Consider an Actix actor that holds a Firestore document snapshot and spawns an async task to process or forward that snapshot. If the actor is dropped or replaced before the task finishes, the snapshot or client reference may become dangling. When the async task resumes and attempts to read from or write to Firestore using that reference, it can trigger undefined behavior or cause the service to crash or leak data. This is especially risky when using Firestore read streams or long-running listeners inside Actix actors without ensuring proper lifecycle management.

Another scenario involves middleware or extractors in Actix that capture a Firestore client by reference to validate or enrich requests. If the request processing future outlives the scope in which the client was valid, the captured reference can dangle. Since Firestore operations are often lazy and executed asynchronously, the unsafe access might not manifest immediately, making the bug hard to detect without active scanning.

The combination of Actix’s asynchronous actor model and Firestore’s remote document access amplifies the risk: Firestore handles and clients may be moved across threads or actors, and if ownership is not explicitly managed with Arc or proper cloning, references can outlive the data they point to. middleBrick can detect such unsafe patterns during unauthenticated scans by analyzing API behavior and spec-defined data flows, flagging endpoints where document or client lifetimes are ambiguous.

Real-world attack patterns that can surface these issues include rapid document creation and deletion, or maliciously crafted requests that force actor restarts while pending Firestore operations are in flight. These can lead to crashes or inconsistent reads, aligning with broader OWASP API Top 10 risks around security misconfiguration and improper error handling. middleBrick’s checks for unsafe consumption and property authorization help surface these concerns by correlating runtime behavior with OpenAPI specifications.

To prevent Use After Free in Actix with Firestore, ensure that all Firestore clients and document references are owned and safely shared across actor lifetimes. Use Arc to wrap Firestore clients and clone the Arc into each actor and async task. This guarantees that the underlying data remains valid as long as any task holds a reference.

Example 1: Safe Firestore client sharing with Arc

use actix_web::{web, App, HttpServer, Responder};
use google_cloud_firestore::client::Client;
use std::sync::Arc;

async fn get_document(
    client: web::Data>,
    doc_path: web::Path,
) -> impl Responder {
    let doc_ref = client.collection("items").doc(doc_path.as_str());
    match doc_ref.get().await {
        Ok(document) => format!("Document data: {:?}", document),
        Err(e) => format!("Error: {}", e),
    }
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    let client = Arc::new(Client::new().await.expect("Failed to create Firestore client"));
    HttpServer::new(move || {
        App::new()
            .app_data(web::Data::from(Arc::clone(&client)))
            .route("/doc/{id}", web::get().to(get_document))
    })
    .bind("127.0.0.1:8080")?
    .run()
    .await
}

Example 2: Actor-safe Firestore access with clone

use actix::prelude::*;
use google_cloud_firestore::client::Client;
use std::sync::Arc;

struct FetchDocActor {
    client: Arc,
    doc_id: String,
}

impl Actor for FetchDocActor {
    type Context = Context;
}

impl FetchDocActor {
    fn new(client: Arc, doc_id: String) -> Self {
        Self { client, doc_id }
    }
}

impl Message for FetchDocActor {
    type Result = Result;
}

impl Handler<FetchDocActor> for MyActor {
    type Result = ();

    fn handle(&mut self, msg: FetchDocActor, _: &mut Self::Context) -> Self::Result {
        let client = Arc::clone(&msg.client);
        actix_web::rt::spawn(async move {
            let doc_ref = client.collection("logs").doc(&msg.doc_id);
            match doc_ref.get().await {
                Ok(doc) => println!("Fetched: {:?}", doc),
                Err(e) => eprintln!("Failed: {}", e),
            }
        });
    }
}

In both examples, the Firestore Client is wrapped in Arc and cloned before being moved into handlers or actors. This ensures that the client is not deallocated while async operations are still using it. Avoid passing references to Firestore objects with lifetimes tied to request scope unless they are backed by shared ownership.

Additionally, ensure that Firestore streams or listeners are explicitly canceled or completed when an actor is stopped. Use Actix’s Running state and stopping hook to clean up tasks and avoid triggering Use After Free when the actor is terminated mid-operation. middleBrick’s continuous monitoring and GitHub Action integration can help surface these issues in CI/CD by failing builds when insecure patterns are detected in submitted API specs or runtime traces.