I have created a public bucket using Firebase storage. The rules allow anyone to read the files. The issue is that with the public link, the user can use the partial URL to list everything in the directory. This can lead to IDOR vulnerability.
Any idea how to keep the files public but stop listing of directory items in a Firestore bucket?
CodePudding user response:
By default ACL on the bucket gives READ access, which leads to access objects by anyone. To prevent listing the objects, make sure users don't have an ACL on the bucket itself.
Run the following comment to achieve this
gsutil acl ch -d AllUsers gs://yourbucket
If you wish to use IAM configuration, apply the Cloud Storage Legacy - Storage Legacy Object Reader for allUser
which does not include permissions to list objects in a bucket.