Skip to content

Secure Firebase configuration and prevent XSS/injection attacks#46

Draft
Frostfire25 with Copilot wants to merge 5 commits into
masterfrom
copilot/analyze-firebase-security-risks
Draft

Secure Firebase configuration and prevent XSS/injection attacks#46
Frostfire25 with Copilot wants to merge 5 commits into
masterfrom
copilot/analyze-firebase-security-risks

Conversation

Copilot AI commented Jan 25, 2026

Copy link
Copy Markdown

Firebase credentials were hardcoded and publicly visible. Database had no security rules, allowing potential unauthorized access. User inputs were unsanitized, enabling XSS and path injection attacks.

Changes

Environment-based Configuration

  • Moved Firebase credentials from hardcoded values to environment variables
  • Created .env.example template (actual .env remains gitignored)
  • Updated firebaseConfig.js to consume process.env.*

Firebase Security Rules

  • Created database.rules.json with authentication requirements on all operations
  • Enforces @merrimack.edu email domain validation
  • Ownership-based write authorization (users can only modify their own content)
  • Input validation (field lengths, types, required fields)
{
  "knowledgebase": {
    "$postId": {
      ".write": "auth != null && data.child('maintainer_email').val() == auth.token.email"
    }
  }
}

Input Sanitization

  • Added src/utils/sanitize.js with DOMPurify-based utilities:
    • sanitizeHtml() - allowlist-based HTML sanitization for rich content
    • sanitizeText() - strips all HTML for plain text fields
    • sanitizeDatabasePath() - removes Firebase special chars (. $ # [ ] /)
    • sanitizeEmail() - validates and sanitizes email addresses

Applied to all user input points: post creation/editing, comments, user profiles, database paths.

// Before
const path = `knowledgebase/${userTitle}`;
await set(ref(db, path), { information: userContent });

// After
const sanitizedTitle = sanitizeDatabasePath(userTitle);
const sanitizedContent = sanitizeHtml(userContent);
const path = `knowledgebase/${sanitizedTitle}`;
await set(ref(db, path), { information: sanitizedContent });

Documentation

  • SECURITY.md - implementation details, deployment checklist, incident response
  • SECURITY_ANALYSIS.md - vulnerability assessment and risk analysis
  • Updated README.md with environment setup instructions

Security Impact

  • Before: Public credentials, open database, XSS/injection vulnerabilities
  • After: Protected credentials, authenticated/authorized access, sanitized inputs

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits January 25, 2026 21:29
…ation utils

Co-authored-by: Frostfire25 <40621935+Frostfire25@users.noreply.github.com>
Co-authored-by: Frostfire25 <40621935+Frostfire25@users.noreply.github.com>
@Frostfire25 Frostfire25 requested a review from tone-man January 25, 2026 21:32
Copilot AI and others added 2 commits January 25, 2026 21:33
Co-authored-by: Frostfire25 <40621935+Frostfire25@users.noreply.github.com>
Co-authored-by: Frostfire25 <40621935+Frostfire25@users.noreply.github.com>
Copilot AI changed the title [WIP] Identify and fix Firebase security risks Secure Firebase configuration and prevent XSS/injection attacks Jan 25, 2026
Copilot AI requested a review from Frostfire25 January 25, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants