Headline
CVE-2023-6460: fix: Don't allow serialization of firestore settings by abhishekwebcode · Pull Request #1742 · googleapis/nodejs-firestore
A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue
When logging any firestore object like WriteBatch,Transaction,etc the settings object also gets logged / exposed
This can be seen by running JSON.stringify on any firestore object even a document reference
Many developers log firestore objects to help them debug testing/prod issues, this leaking of entire firestore key via this._settings is a bad practice as per me
We can also use Object.defineProperty to make it non-enumerable or any other technique that you like
Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:
- Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
- Ensure the tests and linter pass
- Code coverage does not decrease (if any source code was changed)
- Appropriate docs were updated (if necessary)
Fixes #<issue_number_goes_here> 🦕
Related news
A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue