Llm Data Leakage in Buffalo with Firestore

LLM data leakage in Buffalo applications that use Firestore typically occurs when application logic or prompts unintentionally expose sensitive Firestore document data to LLM endpoints. Because Buffalo does not enforce strict separation between application data and LLM prompts, developer code may serialize Firestore document maps into prompt templates, chat messages, or tool inputs. When these prompts are sent to an unauthenticated or poorly guarded LLM endpoint, confidential Firestore fields such as internal IDs, user roles, or PII can be included in LLM requests or exposed via model outputs.

The risk is compounded when LLM endpoints are reachable without authentication. An attacker who can influence prompt content through user-controlled input may cause the application to include sensitive Firestore fields in requests that query or generate text. Because Firestore documents often contain nested maps and arrays, developers may inadvertently pass entire document snapshots into LLM calls. middleBrick’s LLM/AI Security checks detect system prompt leakage patterns and active prompt injection techniques, identifying cases where Firestore data could be coaxed into LLM contexts through crafted inputs.

Output scanning is another key concern: LLM responses that include data derived from Firestore may themselves leak information such as API keys, internal identifiers, or PII. Even when Firestore rules are correctly configured, the application layer may propagate data into the model in ways that bypass intended access controls. middleBrick’s checks for excessive agency and unsafe consumption highlight scenarios where tool calls or function schemas expose Firestore-like structures to the LLM, increasing the chance that sensitive information is surfaced in model outputs.

In a Buffalo + Firestore stack, common anti-patterns include constructing chat completion messages directly from Firestore documents, embedding document references in user-facing prompts, and using Firestore snapshot data to fill in few-shot examples. These patterns can lead to unintended data exfiltration through the LLM interface. middleBrick’s scan flags these issues by correlating runtime behavior with OpenAPI specifications and by testing prompt injection paths that specifically target data stored in Firestore collections.

Because Firestore data often contains structured user data, leakage into LLM endpoints not only risks exposure of individual records but may also reveal relationships across collections. For example, if a prompt includes a user document that references other collection IDs, an attacker might infer access patterns or escalate testing across related resources. middleBrick’s inventory management and data exposure checks help surface these cross-references by analyzing how Firestore data propagates into LLM interactions.

To prevent LLM data leakage with Firestore in Buffalo, structure application code so that only intended, non-sensitive fields are ever passed to LLM endpoints. Avoid passing entire Firestore document maps into prompts or tool schemas. Instead, explicitly select safe fields and sanitize values before inclusion.

import "core/prelude"
import Bamboo.Email
import Plug.Conn

def safe_user_data(user_doc) do
  %{
    display_name: user_doc["displayName"],
    email: user_doc["email"],
    public_id: user_doc["publicId"]
  }
end

def build_prompt(conn, user_doc) do
  user = safe_user_data(user_doc)
  "You are assisting #{user.display_name} (ID: #{user.public_id}). Email: #{user.email}."
end

This pattern ensures that only explicitly allowed fields are used. If your Firestore documents contain nested maps, project only the top-level safe values and avoid including document metadata such as update time or internal IDs.

When using Firestore with tools or function calling, define strict schemas that do not mirror the full document structure. For example, if a tool needs a user identifier, pass only the minimal required identifier rather than the full document:

def call_user_tool(conn, user_doc) do
  # Instead of passing the full doc, extract only what is needed
  user_id = user_doc["publicId"]
  # call external tool with user_id only
end

Ensure that LLM endpoints accessed from Buffalo require authentication where possible, and avoid constructing prompts from untrusted input that may include Firestore document contents. Validate and whitelist any data that originates from Firestore before it enters prompt templates or tool arguments.

For applications using the middleBrick MCP Server in your IDE, you can scan APIs directly while developing to catch Firestore leakage patterns early. The Dashboard allows you to track how findings evolve over time, and the CLI enables you to integrate scans into local workflows:

middlebrick scan <your-api-url>

Use the GitHub Action to add API security checks to your CI/CD pipeline and fail builds if risk scores drop below your chosen threshold. These measures help ensure that Firestore data remains confined to backend logic and does not unintentionally reach LLM endpoints.