FixVibe

// docs / baas security / supabase rls scanner

Na'urar bincike ta Supabase RLS: nemo tebura masu rasa ko karyayyen tsaro na matakin layi

Tsaron matakin layi (RLS) shi kaɗai ne ke tsakanin bayanan abokan cinikinku da intanet idan kun aika manhaja da Supabase. Kayan aikin coding na AI suna samar da lambar siffa-RLS da ke harhada, aika, da kuma yoyon bayanai a shiru — teburai da aka ƙirƙira ba tare da kunna RLS ba, manufofin da suke karanta amma kada su hana, ƙayyadewa waɗanda suke kwatanta shafi da kansa. Wannan labarin yana nuna abin da na'urar bincike ta Supabase RLS zata iya tabbatarwa daga waje, sifofi huɗu na karyayyen RLS waɗanda suka bayyana a manhajojin vibe-coded, da kuma yadda ake yin bincike a ajiyenku a ƙasa da minti ɗaya.

Abin da binciken RLS na waje zai iya tabbatarwa

Binciken RLS mai shiru yana gudana akan ƙarshen PostgREST da Supabase ke fallasa a https://[project].supabase.co/rest/v1/. Yana amfani da maɓallin anon kawai — wannan maɓallin da burauzarku ke amfani da shi — kuma yana bincika metadata na jerin tebura, karanta ba a san sunan ba, da rubuta ba a san sunan ba. Bai taɓa shaidar kansa a matsayin mai amfani ba kuma bai taɓa taɓa damar matakin sabis ba. Komai da zai iya yi, mai kai hari mara tabbatarwa a intanet zai iya yi.

Daga waje da bayanan, na'urar bincike na iya tabbatar da masu zuwa da babban tabbatarwa:

  • An kashe RLS akan tebur. PostgREST yana komawa da layuka don SELECT ba a san sunan ba lokacin da aka kashe RLS ko kuma lokacin da manufar ta ba da izini. Kowane hali yana da matsala.
  • Matsayin marar suna na iya jera tebura. GET /rest/v1/ da maɓallin anon yana komawa da tsarin OpenAPI don kowane tebur da matsayin anon ke da kowane gata akansa. Manhajojin da AI ke samarwa sukan bayar da USAGE akan tsarin da SELECT akan kowane tebur, wanda ke fallasa cikakken taswirar tsarin koda lokacin da RLS ya hana karatun na ainihi.
  • Matsayin marar suna na iya saka shigarwa. Binciken POST tare da hasashe akan siffar shafi zai yi nasara idan RLS ba shi da manufar INSERT da ke hana shi — koda an kulle SELECT.
  • Maɓallin matsayin sabis yana cikin haɗakar burauza. Tare da RLS: idan na'urar bincike ta sami SUPABASE_SERVICE_ROLE_KEY ko kowane JWT mai role: service_role a cikin haɗakar JavaScript, RLS ba shi da amfani — mai riƙe da wannan maɓallin yana ƙetare kowace manufa.

Abin da binciken waje ba zai iya tabbatarwa ba

Ku zama masu gaskiya game da iyakokin na'urar bincike. Binciken RLS na waje ba zai iya karanta teburin pg_policies ba, fayilolin ƙaurarku, ko ainihin tsinkayar kowace manufa. Yana yin tunani daga halayen-akwati-baƙar fata, wanda ke nufin za a wani lokaci ya bayar da rahoton ganowa da ya zama bayanan jama'a da gangan (teburin wasikar tallace-tallace, kasidar samfurin jama'a). Rahoton FixVibe yana yi wa waɗannan alama a matsayin matsakaicin amincewa lokacin da na'urar bincike ba ta iya bambance manufa — duba sunan tebur kuma yi yanke shawara.

Sifofi huɗu na karyayyen RLS da kayan aikin AI suke samarwa

Lokacin da kuka nuna Cursor, Claude Code, Lovable, ko Bolt zuwa Supabase, sifofi huɗu na karyayyen RLS iri ɗaya suna fitowa a cikin dubban manhajoji. Kowannensu yana wuce duban-iri, yana harhada, kuma yana aika:

Siffa 1: Ba a taɓa kunna RLS ba

Hanyar gazawar da ta fi yawa. Ƙaurar tana ƙirƙirar teburin amma mai haɓakawa (ko kayan aikin AI) ya manta da ALTER TABLE ... ENABLE ROW LEVEL SECURITY. PostgREST yana ba duka teburin ga kowa mai maɓallin anon. Gyara: ALTER TABLE public.[name] ENABLE ROW LEVEL SECURITY; ALTER TABLE public.[name] FORCE ROW LEVEL SECURITY;. FORCE bai zaɓi ba ne — ba tare da shi mai mallakar tebur (da kowane matsayi tare da mallakar tebur) yana ƙetare RLS.

sql
ALTER TABLE public.[name] ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.[name] FORCE  ROW LEVEL SECURITY;

Siffa 2: An kunna RLS, babu manufofi

Gazawa mai dabara. An kunna RLS amma ba a rubuta manufofi ba. Tsohuwar saiti a cikin PostgreSQL shine hana, don haka masu amfani da tabbatacciyar ba su ga komai ba — kuma mai haɓakawa yana ƙara USING (true) don sa manhajar ta yi aiki, wanda ke ba kowa damar karanta komai. Gyara: rubuta manufar da ta dace ta auth.uid(): CREATE POLICY "select_own" ON public.[name] FOR SELECT USING (auth.uid() = user_id); da manufar INSERT/UPDATE/DELETE daidaitacciyar.

sql
CREATE POLICY "select_own"
  ON public.[name]
  FOR SELECT
  USING (auth.uid() = user_id);

Siffa 3: Manufar tana kwatanta shafi da kansa

A copy-paste artefact. The developer writes <code>USING (user_id = user_id)</code> — which is always true — instead of <code>USING (auth.uid() = user_id)</code>. Type-checks pass; the policy permits every row. <strong>Fix:</strong> always compare a column to a function call (<code>auth.uid()</code>, <code>auth.jwt()->>'org_id'</code>, etc.), never to itself or to a constant.

Siffa 4: Manufa akan SELECT amma ba akan INSERT/UPDATE ba

Mai haɓakawa yana kulle karatu amma ya manta rubutu. Manufofin RLS sune kowace umarni. FOR SELECT yana kare karatu kawai; abokin ciniki marar suna har yanzu zai iya INSERT idan babu manufar da ke hana shi. Gyara: rubuta manufar a kowace umarni, ko amfani da FOR ALL da bayyananniyar USING da WITH CHECK shari'oi.

Yadda na'urar bincike ta FixVibe Supabase RLS ke aiki

Binciken baas.supabase-rls yana gudana a matakai uku, kowannensu da bayyananniyar matakan amincewa:

  1. Mataki 1 — fingaprint. Na'urar bincike yana rarrabe manhajar da aka aika, yana nazarin haɗakar JavaScript, kuma yana fitar da URL ɗin aikin Supabase da maɓallin anon daga saitin lokacin gudanarwa. Babu tsoron DNS, babu ƙarfin ƙarfi — yana karanta abin da burauzar ke karantawa.
  2. Mataki 2 — gano tsari. GET /rest/v1/ ɗaya da maɓallin anon yana komawa da tsarin OpenAPI don kowane tebur da matsayin anon zai iya gani. Na'urar bincike yana rubuta sunayen teburai amma ba ya karanta bayanan layi a wannan matakin.
  3. Mataki 3 — bincike na karatu da rubuta. Don kowane tebur da aka gano, na'urar bincike yana fitar da SELECT marar suna ɗaya tare da limit=1. Idan layuka suka dawo, RLS yana da izini. Na'urar bincike yana tsayawa nan — ba ya ƙidaya layuka, ba ya yin shafi, ba ya gyara bayanai. Binciken INSERT yana ƙarƙashin tabbatar da mallakar damar da aka tabbatar da kuma bayyananniyar zaɓi; ba sa taɓa kunna a kan manufa marar tabbatarwa.

Kowane gano yana zuwa tare da ainihin URL ɗin buƙata, matsayin amsa, siffar amsa (kanun kawai), da sunan tebur. Umarnin gyara AI a ƙasan ganowar shi ne toshe SQL na kwafa-manna da kuke gudanarwa a editan SQL na Supabase.

Abin da za a yi lokacin da na'urar bincike ta sami wani abu

Kowane ganowa na RLS gaggawa ce ta lokacin gudanarwa. Masu kai hari suna bincike ƙarshen PostgREST na jama'a a cikin mintuna. Jerin gyara na inji ne:

  1. Bincika kowane tebur. Gudanar da SELECT schemaname, tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; a editan SQL na Supabase. Kowane layi tare da rowsecurity = false matsala ce.
  2. Kunna RLS akan kowane teburin jama'a. Tsohon zuwa ENABLE ROW LEVEL SECURITY da FORCE ROW LEVEL SECURITY akan kowane tebur da aka ƙirƙira — sa shi ya zama samfurin ƙaura.
  3. Rubuta manufofi umarni-da-umarni. Kar a yi amfani da FOR ALL USING (true). Rubuta bayyananniyar manufofi don SELECT, INSERT, UPDATE, DELETE — kowane ɗaya da aka kayyade zuwa auth.uid() ko shafin org-id daga auth.jwt().
  4. Tabbatar da asusu na biyu. Yi sa hannu a matsayin mai amfani daban, gwada karanta tarihin wani mai amfani ta hanyar REST API kai tsaye. Idan amsa ce 200, manufar ta karya.
  5. Sake bincike. Bayan amfani da gyara, sake gudanar da binciken FixVibe akan URL ɗin guda. Ganowar baas.supabase-rls ya kamata ya share.
sql
-- Audit every table for missing RLS. Run in the Supabase SQL editor.
SELECT schemaname, tablename, rowsecurity
FROM   pg_tables
WHERE  schemaname = 'public'
ORDER  BY rowsecurity, tablename;

Yadda wannan ke kwatanta zuwa sauran na'urorin bincike

Yawancin kayan aikin DAST na gama-gari (Burp Suite, OWASP ZAP, Nessus) ba su san abin da PostgREST yake ba. Za su rarrabe manhajarku, su yi watsi da hanyar /rest/v1/, kuma su ba da rahoto akan shafukan HTML da suke fahimta. Snyk da Semgrep kayan aikin nazarin-static ne — suna samun fayilolin ƙaura a cikin ma'ajiyarku tare da kiran RLS da ya ɓace, amma ba za su iya tabbatar da cewa bayanan da aka aika sun saituna kuskure ba. FixVibe yana zaune a gibi: mai shiru, mai sanin BaaS, mai mai da hankali kan abin da mai kai hari marar tabbatarwa zai iya tabbatarwa daga URL ɗin jama'a.

Tambayoyin da ake yawan yi

Shin na'urar bincike za ta karanta ko gyara bayanaina?

A'a. Binciken mai shiru yana fitar da matuƙar SELECT ... limit=1 ɗaya a kowane tebur da aka gano don tabbatar da ko RLS ya ba da izinin karatun ba a san sunan ba. Na'urar bincike yana rubuta siffar amsa, ba abubuwan da ke cikin layi ba. Binciken INSERT, UPDATE, da DELETE yana ƙarƙashin tabbatar da mallakar damar da aka tabbatar kuma ba ya taɓa kunna a kan manufa marar tabbatarwa.

Shin wannan yana aiki idan aikin Supabase ɗina yana tsaye ko a kan dama ta al'ada?

Ayyukan da aka dakatar suna mayar da 503 akan kowane buƙata — na'urar bincike yana ba da rahoton aikin a matsayin wanda ba zai iya kaiwa ba. Damar al'ada tana aiki muddin manhajar da aka aika har yanzu tana ɗaukar Supabase client SDK a cikin burauza; na'urar bincike yana fitar da URL ɗin aikin daga haɗakar dukansu.

Idan an juya maɓallin anon ɗina ko kuma maɓallin shawagi na ya canza?

Sake gudanar da binciken. Na'urar bincike yana sake fitar da maɓallin daga haɗakar yanzu a kowane gudanarwa. Juyawa yana sokewa rahoton da ya gabata ne kawai, ba matsayin manufa na bayanai ba.

Shin na'urar bincike yana duba sabuwar samfurin maɓallin shawagi na Supabase (<code>sb_publishable_*</code>)?

Eh. Mai ganowa yana gane duka tsofaffin anon JWTs da sabbin maɓallan sb_publishable_* kuma yana kula da su iri ɗaya — duka biyu an niyya su zama na jama'a kuma duka biyu suna barin RLS a matsayin layi kawai na kariya.

Matakai na gaba

Gudanar da binciken FixVibe na kyauta akan URL ɗin samarwarku — an kunna binciken baas.supabase-rls akan kowane shiri har da matakin kyauta. Don karatu mai zurfi a kan abin da kuma zai iya yoyo daga aikin Supabase, duba An fallasa maɓallin matsayin sabis na Supabase a cikin JavaScript da Jeren bincike na tsaron buhun ajiya na Supabase. Don ra'ayin laima a duk masu samar da BaaS, karanta Na'urar bincike na kuskuren saiti na BaaS.

// yi bincike kan saman BaaS naka

Sami teburin bude kafin wani ya same shi.

Sakawa URL ɗin samarwa. FixVibe yana ƙidaya masu samar da BaaS da manhajarku ke magana da su, yana yi musu fingaprint na ƙarshen jama'a, kuma yana ba da rahoton abin da abokin ciniki marar tabbatarwa zai iya karantawa ko rubuta. Kyauta, ba shigarwa, ba kati.

  • Matakin kyauta — 3 bincike / wata, ba kati na sa hannu.
  • Fingaprinta BaaS mai shiru — babu buƙatar tabbatar da dama.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, da ƙarin.
  • Umarni na gyara AI a kan kowane gano — manna komawa zuwa Cursor / Claude Code.
Gudanar da binciken BaaS kyauta

ba buƙatar sa hannu

Na'urar bincike ta Supabase RLS: nemo tebura masu rasa ko karyayyen tsaro na matakin layi — Docs · FixVibe