UpsertBucket uses a purpose label to detect & work around squatting (#9269)

Fixes both a DoS and RCE vulnerability when an attacker could predict the bucket that App Hosting or Functions would use for uploading source.

Instead of returning a bucket when it exists (but could be owned by an attacker) we list the buckets actually owned by the user. There are three cases to consider:

There exists a bucket with the "purpose label". This will usually have the same name as the target bucket name, but may not in the case that the bucket was created with collision avoidance. Return whichever bucket has the label.
There exists a bucket without the "purpose label" but with the target bucket name. Since we got this bucket name from "listBuckets" we know that this is user owned and it is safe to add the purpose label to migrate the fleet to one shape
The bucket does not exist. Try to create it. If creation fails (e.g. naming conflict due to squatting) then add a random 6-character string at the end to avoid conflicts. We try this 4 times, so an attacker would need to have squatted on about 600 million buckets for there to be at least a 1% chance that deployment fails (and they can retry without consequence).
Manually tested:

Create a bucket without conflict
Create a bucket with conflict
Reuse a bucket
Add a purpose label to a legacy bucket

Author: inlined

src/deploy/apphosting/deploy.spec.ts

@@ -75,25 +75,29 @@ describe("apphosting", () => {
 
     it("upserts regional GCS bucket", async () => {
       const context = initializeContext();
-      getProjectNumberStub.resolves("000000000000");
-      upsertBucketStub.resolves();
+      const projectNumber = "000000000000";
+      const location = "us-central1";
+      const bucketName = `firebaseapphosting-sources-${projectNumber}-${location}`;
+
+      getProjectNumberStub.resolves(projectNumber);
+      upsertBucketStub.resolves(bucketName);
       createArchiveStub.resolves("path/to/foo-1234.zip");
       uploadObjectStub.resolves({
-        bucket: "firebaseapphosting-sources-12345678-us-central1",
+        bucket: bucketName,
         object: "foo-1234",
       });
-      createReadStreamStub.resolves();
+      createReadStreamStub.returns("stream" as any);
 
       await deploy(context, opts);
 
       expect(upsertBucketStub).to.be.calledWith({
         product: "apphosting",
-        createMessage:
-          "Creating Cloud Storage bucket in us-central1 to store App Hosting source code uploads at firebaseapphosting-sources-000000000000-us-central1...",
+        createMessage: `Creating Cloud Storage bucket in ${location} to store App Hosting source code uploads at ${bucketName}...`,
         projectId: "my-project",
         req: {
-          name: "firebaseapphosting-sources-000000000000-us-central1",
-          location: "us-central1",
+          baseName: bucketName,
+          purposeLabel: `apphosting-source-${location}`,
+          location: location,
           lifecycle: {
             rule: [
               {
@@ -108,20 +112,22 @@ describe("apphosting", () => {
 
     it("correctly creates and sets storage URIs", async () => {
       const context = initializeContext();
-      getProjectNumberStub.resolves("000000000000");
-      upsertBucketStub.resolves();
+      const projectNumber = "000000000000";
+      const location = "us-central1";
+      const bucketName = `firebaseapphosting-sources-${projectNumber}-${location}`;
+
+      getProjectNumberStub.resolves(projectNumber);
+      upsertBucketStub.resolves(bucketName);
       createArchiveStub.resolves("path/to/foo-1234.zip");
       uploadObjectStub.resolves({
-        bucket: "firebaseapphosting-sources-12345678-us-central1",
+        bucket: bucketName,
         object: "foo-1234",
       });
-      createReadStreamStub.resolves();
+      createReadStreamStub.returns("stream" as any);
 
       await deploy(context, opts);
 
-      expect(context.backendStorageUris["foo"]).to.equal(
-        "gs://firebaseapphosting-sources-000000000000-us-central1/foo-1234.zip",
-      );
+      expect(context.backendStorageUris["foo"]).to.equal(`gs://${bucketName}/foo-1234.zip`);
     });
   });
 });

src/deploy/apphosting/deploy.ts

@@ -24,15 +24,17 @@ export default async function (context: Context, options: Options): Promise<void
   }
 
   // Ensure that a bucket exists in each region that a backend is or will be deployed to
+  const bucketsPerLocation: Record<string, string> = {};
   await Promise.all(
     Object.values(context.backendLocations).map(async (loc) => {
-      const bucketName = `firebaseapphosting-sources-${options.projectNumber}-${loc.toLowerCase()}`;
-      await gcs.upsertBucket({
+      const baseName = `firebaseapphosting-sources-${options.projectNumber}-${loc.toLowerCase()}`;
+      const resolvedName = await gcs.upsertBucket({
         product: "apphosting",
-        createMessage: `Creating Cloud Storage bucket in ${loc} to store App Hosting source code uploads at ${bucketName}...`,
+        createMessage: `Creating Cloud Storage bucket in ${loc} to store App Hosting source code uploads at ${baseName}...`,
         projectId,
         req: {
-          name: bucketName,
+          baseName,
+          purposeLabel: `apphosting-source-${loc.toLowerCase()}`,
           location: loc,
           lifecycle: {
             rule: [
@@ -48,6 +50,7 @@ export default async function (context: Context, options: Options): Promise<void
           },
         },
       });
+      bucketsPerLocation[loc] = resolvedName;
     }),
   );
 
@@ -65,7 +68,7 @@ export default async function (context: Context, options: Options): Promise<void
         "apphosting",
         `Uploading source code at ${projectSourcePath} for backend ${cfg.backendId}...`,
       );
-      const bucketName = `firebaseapphosting-sources-${options.projectNumber}-${backendLocation.toLowerCase()}`;
+      const bucketName = bucketsPerLocation[backendLocation]!;
       const { bucket, object } = await gcs.uploadObject(
         {
           file: zippedSourcePath,

src/deploy/functions/deploy.spec.ts

@@ -153,8 +153,6 @@ describe("deploy", () => {
       functionsSourceV2: "source.zip",
       functionsSourceV2Hash: "source-hash",
     };
-    const CREATE_MESSAGE =
-      "Creating Cloud Storage bucket in region to store Functions source code uploads at firebase-functions-src-123456...";
 
     before(() => {
       experimentEnabled = experiments.isEnabled("runfunctions");
@@ -163,7 +161,7 @@ describe("deploy", () => {
 
     beforeEach(() => {
       gcsUploadStub = sinon.stub(gcs, "upload").resolves({ generation: "1" });
-      gcsUpsertBucketStub = sinon.stub(gcs, "upsertBucket").resolves();
+      gcsUpsertBucketStub = sinon.stub(gcs, "upsertBucket");
       gcfv2GenerateUploadUrlStub = sinon.stub(gcfv2, "generateUploadUrl").resolves({
         uploadUrl: "https://storage.googleapis.com/upload/url",
         storageSource: {
@@ -179,27 +177,32 @@ describe("deploy", () => {
     });
 
     describe("with runfunctions experiment enabled", () => {
+      const PROJECT_NUMBER = "123456";
+      const BUCKET_NAME = `firebase-functions-src-${PROJECT_NUMBER}`;
+
       before(() => experiments.setEnabled("runfunctions", true));
 
       it("should call gcs.upsertBucket and gcs.upload for gcfv2 functions", async () => {
         const wantBackend = backend.of({ ...ENDPOINT, platform: "gcfv2" });
+        gcsUpsertBucketStub.resolves(BUCKET_NAME);
 
-        await deploy.uploadSourceV2("project", "123456", SOURCE, wantBackend);
+        await deploy.uploadSourceV2("project", PROJECT_NUMBER, SOURCE, wantBackend);
 
         expect(gcsUpsertBucketStub).to.be.calledOnceWith({
           product: "functions",
           projectId: "project",
-          createMessage: CREATE_MESSAGE,
+          createMessage: `Creating Cloud Storage bucket in region to store Functions source code uploads at ${BUCKET_NAME}...`,
           req: {
-            name: "firebase-functions-src-123456",
+            baseName: BUCKET_NAME,
             location: "region",
+            purposeLabel: "functions-source-region",
             lifecycle: { rule: [{ action: { type: "Delete" }, condition: { age: 1 } }] },
           },
         });
         expect(createReadStreamStub).to.be.calledOnceWith("source.zip");
         expect(gcsUploadStub).to.be.calledOnceWith(
           { file: "source.zip", stream: "stream" },
-          "firebase-functions-src-123456/source-hash.zip",
+          `${BUCKET_NAME}/source-hash.zip`,
           undefined,
           true,
         );
@@ -208,23 +211,25 @@ describe("deploy", () => {
 
       it("should call gcs.upsertBucket and gcs.upload for run functions", async () => {
         const wantBackend = backend.of({ ...ENDPOINT, platform: "run" });
+        gcsUpsertBucketStub.resolves(BUCKET_NAME);
 
-        await deploy.uploadSourceV2("project", "123456", SOURCE, wantBackend);
+        await deploy.uploadSourceV2("project", PROJECT_NUMBER, SOURCE, wantBackend);
 
         expect(gcsUpsertBucketStub).to.be.calledOnceWith({
           product: "functions",
           projectId: "project",
-          createMessage: CREATE_MESSAGE,
+          createMessage: `Creating Cloud Storage bucket in region to store Functions source code uploads at ${BUCKET_NAME}...`,
           req: {
-            name: "firebase-functions-src-123456",
+            baseName: BUCKET_NAME,
             location: "region",
+            purposeLabel: "functions-source-region",
             lifecycle: { rule: [{ action: { type: "Delete" }, condition: { age: 1 } }] },
           },
         });
         expect(createReadStreamStub).to.be.calledOnceWith("source.zip");
         expect(gcsUploadStub).to.be.calledOnceWith(
           { file: "source.zip", stream: "stream" },
-          "firebase-functions-src-123456/source-hash.zip",
+          `${BUCKET_NAME}/source-hash.zip`,
           undefined,
           true,
         );

src/deploy/functions/deploy.ts

@@ -95,14 +95,15 @@ export async function uploadSourceV2(
   // Future behavior: BYO bucket if we're using the Cloud Run API directly because it does not provide a source upload API.
   // We use this behavior whenever the "runfunctions" experiment is enabled for now just to help vet the codepath incrementally.
   // Using project number to ensure we don't exceed the bucket name length limit (in addition to PII controversy).
-  const bucketName = `firebase-functions-src-${projectNumber}`;
-  await gcs.upsertBucket({
+  const baseName = `firebase-functions-src-${projectNumber}`;
+  const bucketName = await gcs.upsertBucket({
     product: "functions",
     projectId,
-    createMessage: `Creating Cloud Storage bucket in ${region} to store Functions source code uploads at ${bucketName}...`,
+    createMessage: `Creating Cloud Storage bucket in ${region} to store Functions source code uploads at ${baseName}...`,
     req: {
-      name: bucketName,
+      baseName,
       location: region,
+      purposeLabel: `functions-source-${region.toLowerCase()}`,
       lifecycle: {
         rule: [
           {

src/deploy/functions/params.ts

@@ -695,7 +695,7 @@ async function promptResourceString(
   const notFound = new FirebaseError(`No instances of ${input.resource.type} found.`);
   switch (input.resource.type) {
     case "storage.googleapis.com/Bucket":
-      const buckets = await listBuckets(projectId);
+      const buckets = (await listBuckets(projectId)).map((b) => b.name);
       if (buckets.length === 0) {
         throw notFound;
       }
@@ -723,7 +723,7 @@ async function promptResourceStrings(
   const notFound = new FirebaseError(`No instances of ${input.resource.type} found.`);
   switch (input.resource.type) {
     case "storage.googleapis.com/Bucket":
-      const buckets = await listBuckets(projectId);
+      const buckets = (await listBuckets(projectId)).map((b) => b.name);
       if (buckets.length === 0) {
         throw notFound;
       }