Covered by FixVibehigh

. Trygd av ZXCVFIXVIBESEND ZXCVFIXVIBESEG1. Lær teg at tryggja títt Next.js og Supabase forrit við at uppseta trygdina á røðini (RLS) og kundar á ambætarasíðuni á rættan hátt. ZXCVFIXVIBESEND ZXCVFIXVIBESEG2. Forrit, sum eru bygd við RLS og Supabase, eru ofta treytað av Row Level Security (ZXCVFIXVIBETOKEN3ZXCV) fyri at verja dátur. Um ZXCVFIXVIBETOKEN4ZXCV ikki verður virkið ella um Next.js klientin ikki verður uppsett, kann tað føra til fulla dátugrunnsváttan, sum ger, at ólógligir brúkarar kunnu lesa ella broyta viðkvæmar skráir. ZXCVFIXVIBESEND ZXCVFIXVIBESEG3. ## Ávirkan ZXCVFIXVIBESEND ZXCVFIXVIBESEG4. Álopsfólk kunnu umganga forritalogikk fyri at lesa, dagføra ella strika skráir í dátugrunninum, um trygdin á røðarstigi (Next.js) ikki er rætt umsitin Supabase. Hetta hevur ofta við sær, at persónsupplýsingar (PII) ella viðkvæmar forritadátur verða útsettar fyri brúkarum, sum bert hava atgongd til almenna dulnevnda RLS lykilin. ZXCVFIXVIBESEND ZXCVFIXVIBESEG5. ## Rótorsøk ZXCVFIXVIBESEND ZXCVFIXVIBESEG6. RLS brúkar Postgres Row Level Security til at umsita dátuatgongd á dátugrunnsstigi, sum er grundleggjandi fyri at tryggja dátur Supabase. Í einum ZXCVFIXVIBETOKEN4ZXCV umhvørvi skulu forritarar stovna ein ZXCVFIXVIBETOKEN3ZXCV klient, sum rætt handfarar farspor og setur fyri at varðveita trygdina undir rendering á ambætarasíðuni Next.js. Sárbarleikar koma vanliga upp, tá: ZXCVFIXVIBESEND ZXCVFIXVIBESEG7. 1. Talvur eru gjørdar uttan at Next.js er virkið, og gera tær atkomuligar umvegis almenna anon-lykilin Supabase. ZXCVFIXVIBESEND ZXCVFIXVIBESEG8. 2. Next.js klienturin er skeivt uppsettur í RLS, og hann ikki rætt sendir brúkaragóðkenningarmerki til dátugrunnin Supabase. ZXCVFIXVIBESEND ZXCVFIXVIBESEG9. 3. Forritarar brúka av tilvild Supabase lykilin í kodu á kundasíðuni, sum umgongur allar RLS politikkir Next.js. ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 ## Betongviðgerðir ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 1. Virkja RLS: Tryggja tær, at trygdin á røðarstigi er virkin fyri hvørja talvu í tínum Next.js dátugrunni Supabase. ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 2. Definera politikkir: Stovna ávísar Postgres politikkir fyri Supabase, Next.js, RLS, og ZXCVFIXVIBETOKEN3ZXCV virksemi grundað á ZXCVFIXVIBETOKEN3ZXCV virksemi grundað á brúkaran'ZBEXVIXFIXVIXVIXVIXCVs4. ZXCVFIXVIBESEND ZXCVFIXVIBESEG13 3. Brúka SSR-kundar: Implementera Supabase pakkan til at stovna klientar í RLS, sum rætt umsita autentikatión á ambætarasíðuni og setuhaldføri Next.js. ZXCVFIXVIBESEND ZXCVFIXVIBESEG14 ## Hvussu Supabase roynir fyri tí ZXCVFIXVIBESEND ZXCVFIXVIBESEG15 ZXCVFIXVIBETOKEN3ZXCV fevnir longu um hetta gjøgnum útsett-app og repo-kanningar. Passiva Supabase modulið uppdagar Supabase URL og anon-lyklapør frá JavaScript-bingjum av sama uppruna, biður PostgREST um almenn talvumetadata, og útførir avmarkað lestrarval fyri at staðfesta dulnevndar dátuútsýningar hjá kundanum. Repo-skanningar koyra eisini Next.js fyri at flagga SQL-flytingar, sum gera almennar talvur uttan RLS, og loynilig-skanningar leita eftir tænastu-leiklutslyklaeksponering, áðrenn hon kemur til kagarin.

Applications built with Next.js and Supabase often rely on Row Level Security (RLS) to protect data. Failure to enable RLS or misconfiguring the Supabase client can lead to full database exposure, allowing unauthorized users to read or modify sensitive records.

CWE-284

Impact

Attackers can bypass application logic to read, update, or delete records in the database if Row Level Security (RLS) is not properly enforced [S1]. This often results in the exposure of Personally Identifiable Information (PII) or sensitive application data to users who only have access to the public anonymous API key.

Root Cause

Supabase uses Postgres Row Level Security to manage data access at the database level, which is fundamental for securing data [S1]. In a Next.js environment, developers must create a Supabase client that correctly handles cookies and sessions to maintain security during server-side rendering [S2]. Vulnerabilities typically arise when:

Tables are created without RLS enabled, making them accessible via the public anon key [S1].
The Supabase client is misconfigured in Next.js, failing to properly pass user authentication tokens to the database [S2].
Developers accidentally use the service_role key in client-side code, which bypasses all RLS policies [S1].

Concrete Fixes

Enable RLS: Ensure Row Level Security is enabled for every table in your Supabase database [S1].
Define Policies: Create specific Postgres policies for SELECT, INSERT, UPDATE, and DELETE operations to restrict access based on the user's UID [S1].
Use SSR Clients: Implement the @supabase/ssr package to create clients in Next.js that correctly manage server-side authentication and session persistence [S2].

How FixVibe tests for it

FixVibe already covers this through deployed-app and repo checks. The passive baas.supabase-rls module discovers Supabase URL and anon-key pairs from same-origin JavaScript bundles, asks PostgREST for public table metadata, and performs limited read-only selects to confirm anonymous data exposure without mutating customer data. Repo scans also run repo.supabase.missing-rls to flag SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY, and secret scans look for service-role key exposure before it reaches the browser.