flintbase 0.3.1

Google / Firebase API key analyzer and APK secret scanner — tests keys against 20+ endpoints and extracts hardcoded credentials from Android apps
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

use reqwest::blocking::Client;
use serde_json::Value;

use crate::config::{FirebaseProjectInfo, TestResult};

/// Test Realtime Database public access.
pub fn test_realtime_db(
    client: &Client,
    _key: &str,
    project_id: Option<&str>,
    info: &mut FirebaseProjectInfo,
) -> TestResult {
    let pid = match project_id {
        Some(p) => p,
        None => {
            return TestResult::fail(
                None,
                "No project ID available",
                Some("Provide --project-id to test Realtime Database".into()),
            )
        }
    };

    let url = format!(
        "https://{}-default-rtdb.firebaseio.com/.json?shallow=true",
        pid
    );

    let resp = match client.get(&url).send() {
        Ok(r) => r,
        Err(e) => return TestResult::fail(None, e.to_string(), None),
    };

    let status = resp.status().as_u16();

    match status {
        200 => {
            let data: Value = resp.json().unwrap_or_default();
            info.realtime_db_public_read = Some(true);
            if data.is_null() || (data.is_object() && data.as_object().unwrap().is_empty()) {
                TestResult::ok(status, "Database publicly readable but empty")
            } else {
                let preview = {
                    let s = data.to_string();
                    if s.len() > 200 {
                        format!("{}...", &s[..200])
                    } else {
                        s
                    }
                };
                TestResult::ok(status, "[CRITICAL] Database is PUBLICLY READABLE!")
                    .with_extra("data_preview", preview)
            }
        }
        401 => {
            info.realtime_db_public_read = Some(false);
            TestResult::fail(
                Some(status),
                "Permission denied",
                Some("Database requires authentication (properly secured)".into()),
            )
        }
        404 => TestResult::fail(
            Some(status),
            "Not found",
            Some("Realtime Database not enabled or different URL".into()),
        ),
        _ => {
            let text = resp.text().unwrap_or_default();
            let detail = if text.is_empty() {
                None
            } else {
                Some(text.chars().take(100).collect())
            };
            TestResult::fail(Some(status), format!("HTTP {}", status), detail)
        }
    }
}

/// Test Firebase Storage bucket access.
pub fn test_firebase_storage(
    client: &Client,
    _key: &str,
    project_id: Option<&str>,
    info: &mut FirebaseProjectInfo,
) -> TestResult {
    let pid = match project_id {
        Some(p) => p,
        None => {
            return TestResult::fail(
                None,
                "No project_id",
                Some("Provide --project-id to test Storage".into()),
            )
        }
    };

    let bucket = format!("{}.appspot.com", pid);
    info.storage_bucket = Some(bucket.clone());

    let url = format!(
        "https://firebasestorage.googleapis.com/v0/b/{}/o",
        bucket
    );

    let resp = match client.get(&url).send() {
        Ok(r) => r,
        Err(e) => return TestResult::fail(None, e.to_string(), None),
    };

    let status = resp.status().as_u16();

    match status {
        200 => {
            let data: Value = resp.json().unwrap_or_default();
            let items = data
                .get("items")
                .and_then(|v| v.as_array())
                .cloned()
                .unwrap_or_default();
            info.storage_public = Some(true);

            let item_names: Vec<String> = items
                .iter()
                .take(10)
                .filter_map(|i| i.get("name").and_then(|n| n.as_str()).map(String::from))
                .collect();

            let mut result = TestResult::ok(
                status,
                format!(
                    "[CRITICAL] Storage bucket PUBLICLY LISTABLE! ({} items)",
                    items.len()
                ),
            );
            if !item_names.is_empty() {
                result = result.with_extra("items", item_names.join(", "));
            }
            result
        }
        403 => {
            info.storage_public = Some(false);
            TestResult::fail(
                Some(status),
                "Access denied",
                Some("Storage bucket properly secured".into()),
            )
        }
        _ => TestResult::fail(Some(status), format!("HTTP {}", status), None),
    }
}