fix toJSON spelling in firestore sdk

Reported by: Abhishek Mathur

Google VRP

  • triaged

  • accepted

  • fixed

Summary: fix toJSON spelling in firestore sdk

Product: Google Cloud

URL: https://github.com/googleapis/nodejs-firestore

Vulnerability type: Other

Details

Hi, Language: NodeJS NPM Repository: https://www.npmjs.com/package/@google-cloud/firestore Code Repository: https://github.com/googleapis/nodejs-firestore I found out that the wrong spelling of toJSON function ( it was toJson ) could leak to the firestore key getting leaked out when JSON.stringify() is run on any firestore object since all of them contain an internal reference to the firestore object having _settings object which has the private key I raised a Pull request highlighting the same https://github.com/googleapis/nodejs-firestore/pull/1983 Since i was thinking from the view of Firebase, milaGGL pointed out that the bug was not reproducible so I edited my PR to remove the unnecessary code. I was unable to convey my message that it was exploitable when this library was used directly without any wrappers like nodejs firebase admin sdk library Another developer reverts my commit to change the code to match exactly my original Pull request here https://github.com/googleapis/nodejs-firestore/pull/1989/commits/7b8a9755bde1b86172fc65f810a54d0f1d0c82e1 [ it reverts my commit and is totally same to my original PR ] in this https://github.com/googleapis/nodejs-firestore/pull/1989 He has reviewed my PR and has reintroduced the code with the correct toJSON function spelling like i had suggested in my original PR and which was my original intention This contribution was a security related one which is why i am filing it here

I hope you understand how my contribution lead to the current state of the corrected code, I request you to review this and assign a CVE ID which also includes links to my PR so i can cite it. I would also like to argue my case for a bounty since the this concept was originally pioneered and raised by me

Attack scenario

The vulnerability that was fixed eventually closed a loophole which leaked or exposed the private key using which the google cloud firestore nodejs-sdk library was initialised upon logging of any firestore objects like document snapshots, references, etc when serialised using JSON.stringify The wrong spelling of toJSON as toJson in the original codebase state meant that the function toJson which was written to prevent serialisation of the firestore private key did not get triggered if JSON.stringify was run upon it I raised a PR to fix this and it is fixed now