The syntax you can use in the rules is described in detail here.
Unfortunately, the ability to perform string operations (match, length, etc.) is currently not available. SEE AN ANSWER FROM ROBOR BELOW THIS CHARACTERISTIC IS NOW AVAILABLE
I know this is at least on the Firebase radar, because I asked for a similar function some time ago.
If you explain the exact details of what you want to solve, this will provide a much more specific answer; for now I will give you some general ideas.
Use privileged application
A Firebase monitor with a privileged application, and whenever a value is written to certain fields, you need a line check, check it manually and delete it if it is invalid.
Naturally, customer verification will take care of all valid use cases. Therefore, this is only necessary to prevent malicious insertions.
Alternatively, you can approach this as an audit. Just email any invalid lines to any address to be considered. Since the client must ensure that the string is correct before inserting, you again look for errors or malicious behavior.
API Entry Delegation
Instead of allowing the client to write privileged data, send it to the API and ask the API to write this data, making it available only to the client.
Do not worry about it
Do you really need to check the length? Is it enough just to look and see if this is a line? Is it really a problem that someone โhacksโ the contents of the string? Probably no. It may be, but probably not.
And if it causes concern, can it be solved in another way? If there is a server involved, simply use the process described above.