Summary: Firestore private key leaked by using JSON.stringify on any firestore object in Node.JS

Product: Firebase

URL: https://github.com/googleapis/nodejs-firestore/pull/1742

Vulnerability type: unknown

Details

[ The bug has been fixed via my pull request, I just want a CVE ID for the fixed vulnerability ] and any bug bounty reward if eligible, PR : https://github.com/googleapis/nodejs-firestore/pull/1742 I discovered that when i serialise any firebase admin sdk nodejs-> firestore object, it was leaking the entire private key that i was using to initialise the SDK (https://firebase.google.com/docs/reference/admin/node/firebase-admin.app#example_2) this was happening because of the non-protection of settings field inside firestore object, and this firestore object is present inside all other objects like documents, collections, references, etc Eg: If we are logging the objects in our codebase for debugging using JSON.stringify the prod firebase project logs will contain the serialised firestore objects revealing the private key in logs like Google Cloud StackDriver logging, which is unintended as the person having logging view rights might not be authorised or intended to have access to prod firestore private key Upon my suggestion the bug is fixed and PR is merged, i would like a CVE ID number for this vulnerability i helped to fix and also any bug bounty reward if eligible.

Attack scenario

It can be exploited by anybody who can see the output of serialization of firestore obejcts, For Example, Any developers in an organisation who have Google Cloud Stackdriver logs view only rights, so suppose if the code serialises any firestore objects for debugging ( document id, collection path , etc) the logs will also contain private key used to manually initialise firestore as described in this example https://firebase.google.com/docs/reference/admin/node/firebase-admin.app#example_2 and they will be able to see prod firebase firestore key which the organisation or project owners might not be wanting to for security reasons. Also prod key of any database should never be revealed by any serialisation technique on any database , library or ORM generated objects as the code may be passing credentials via env or some secret manager and the serialised data on database objects may be stored inside database to be shown to user or be put inside logs ( so that developers can see and debug any prod issues)