Private keys exposed with DocumentReference
Joebayld opened this issue · comments
I've found that if you do an export without any options, and one of your fields is of type DocumentReference
, then the library thinks the DocumentRef is a JSON object and exports the entire object. This is very dangerous because this includes any firebase settings (Private Keys included!).
If in the wrong hands, your private keys could be exposed. This is not good.
Attaching a screenshot of the response.
I noticed this issue with another library and I stopped using that one because of the risk. Something possible to try is checking the field values like so:
if (rawValue.constructor.name === 'DocumentReference')
Thanks for your report. I will follow the discussion firebase-admin-node issue and see if there is any solution for it.