FixVibe

// docs / baas security / supabase storage

Jeren bincike na tsaron buhun ajiya na Supabase: abubuwa 22

Supabase Storage shi ne ƙaramin nannade akan buhun S3-compatible da kuma samfurin Tsaron Matakin Layi iri ɗaya da bayanan. Wannan yana nufin matsalolin RLS iri ɗaya da ke shafar teburai suna shafar damar fayil — da kuma 'yan kaɗan masu takamaiman ajiya da ke bayyana lokacin da kayan aikin coding na AI suka haɗa loda. Wannan jeren bincike ne abu 22 a sashe biyar: saitin buhu, manufofin RLS, tabbatar da loda, URLs masu sa hannu, da tsabtar aiki. Kowane ɗaya ana iya tabbatarwa a ƙasa da minti 15.

Kowane abu a ƙasa yana da mahimmanci. Don aiki na asali na RLS, duba Na'urar bincike ta Supabase RLS. Don ajin fallasa maɓallin da ke kusa da ajiya, duba An fallasa maɓallin matsayin sabis na Supabase a cikin JavaScript.

Saitin buhu

Fara da daidaitattun saitin. Buhun da ya saituna kuskure yana yoyon fayiloli ko RLS naka daidai ne ko a'a.

  1. Tsohon kowane buhun zuwa na sirri. A Dashboard ɗin Supabase → Storage → Buckets, saita maƙallin Buhun Jama'a zuwa kashe sai dai idan kuna da bayyananne dalili (kayan tallace-tallace, avatars na jama'a ba tare da PII). Buhunan jama'a suna ƙetare RLS don ayyukan karatu — kowa mai sunan buhun zai iya jera kuma sauke.
  2. Saita iyakacin girman fayil mai wuya akan kowane buhun. Dashboard → Saitin Buhun → Iyakar girman fayil. 50 MB tsohuwar saiti ce mai hankali don lodi mai amfani; tashe shi da hankali don shari'oin amfani na bidiyo / babban fayil. Ba tare da iyaka ba, loda mai mugunta ɗaya zai iya cire ɗakin ajiyarku ko ɗakin nasarar wata.
  3. Iyakance nau'ikan MIME da aka ba da izini kowane buhun. Jerin nau'ikan MIME da aka ba da izini — bayyananne allowlist, ba blocklist ba. image/jpeg, image/png, image/webp don buhunan-hoto kawai. Kar a taɓa ba text/html, application/javascript, ko image/svg+xml izini a buhun abun-mai-amfani — suna aiwatarwa a cikin burauza lokacin da aka yi musu sabis ta URL da aka sa hannu.
  4. Yi amfani da buhun ɗaya kowane nau'in abun ciki, ba buhun shared ɗaya ba. Saitin kowane buhun (girma, nau'ikan MIME, manufofin RLS) shine granularity ɗin da kuke da shi. Buhun user-avatars, buhun document-uploads, da buhun public-assets sun fi sauƙin kullewa fiye da buhu mai gauraye ɗaya.
  5. Tabbatar da saitin CORS idan frontend yana loda. Idan masu amfani sun loda kai tsaye daga burauza zuwa URL da aka sa hannu, CORS na buhun dole ne ya jera dabararku ta samarwa. * ana karɓarsa don buhunan jama'a kawai — ba taɓa don buhunan da ke ɗauke da PII na mai amfani ba.

Manufofin RLS akan storage.objects

Supabase Storage yana ajiyar metadata na fayil a cikin teburin storage.objects. RLS akan wannan teburin yana sarrafa wanda zai iya karantawa, lodawa, sabuntawa, ko share fayiloli. Ba tare da RLS ba, alamar buhun na jama'a/na sirri ita ce kariyarku kawai.

  1. Tabbatar an kunna RLS akan storage.objects. SELECT rowsecurity FROM pg_tables WHERE schemaname = 'storage' AND tablename = 'objects'; dole ne ya komo da true. Supabase yana kunna shi ta tsohuwar akan sababbin ayyukan; tabbatar ba a kashe shi ba.
  2. Rubuta manufar SELECT da aka kayyade zuwa auth.uid() don buhunan na sirri. CREATE POLICY "users_read_own_files" ON storage.objects FOR SELECT USING (auth.uid()::text = (storage.foldername(name))[1]);. Yarjejeniyar shi ne adana fayiloli ƙarƙashin [user-id]/[filename] kuma amfani da storage.foldername() don fitar da mai mallaka daga hanyar.
  3. Rubuta manufar INSERT da ke aiwatar da yarjejeniyar hanya iri ɗaya. CREATE POLICY "users_upload_own" ON storage.objects FOR INSERT WITH CHECK (auth.uid()::text = (storage.foldername(name))[1]);. Ba tare da WITH CHECK ba, mai amfani da aka tabbatar zai iya loda cikin babban fayil ɗin wani mai amfani.
  4. Ƙara manufofin UPDATE da DELETE idan manhajarku tana goyan bayan canjin fayil ko share. Kowane umarni yana buƙatar manufar sa. Tsallake DELETE yana nufin masu amfani da aka tabbatar ba za su iya cire fayilolinsu ba; tsallake UPDATE yana nufin sake rubuta fayiloli ya kasa a shiru.
  5. Gwada damar tsakanin masu amfani a cikin zaman burauza biyu. Yi sa hannu a matsayin Mai amfani A, loda fayil, kwafa hanyar. Yi sa hannu a matsayin Mai amfani B a wani burauza, gwada cire fayil ta REST API. Amsa dole ne ya zama 403 ko 404, ba taɓa 200 ba.
sql
-- Confirm RLS on storage.objects
SELECT rowsecurity
FROM   pg_tables
WHERE  schemaname = 'storage' AND tablename = 'objects';

-- SELECT policy: scope reads to the owning user's folder.
CREATE POLICY "users_read_own_files"
  ON storage.objects
  FOR SELECT
  USING (auth.uid()::text = (storage.foldername(name))[1]);

-- INSERT policy: enforce the [user-id]/[filename] path convention.
CREATE POLICY "users_upload_own"
  ON storage.objects
  FOR INSERT
  WITH CHECK (auth.uid()::text = (storage.foldername(name))[1]);

Tabbatar da loda

Tabbatar da kowane loda a gefen sabar, koda buhun yana da iyakar MIME da girma. Kayan aikin coding na AI suna samar da tabbatarwa-abokin-ciniki-kawai ta tsohuwar; wannan ba ya kare komai.

  1. Sake duba nau'in MIME a gefen-sabar daga ainihin bytes na fayil, ba kanun Content-Type ba. Yi amfani da ɗakin karatu kamar file-type (Node) ko sniff-byte-magic. Mai kai hari na iya yin iƙirarin Content-Type: image/jpeg akan fayil ɗin da ke ainihin nauyin polyglot HTML / JavaScript.
  2. Cire metadata na EXIF daga hotunan da aka loda. EXIF na iya ƙunsar daidaitattun GPS, lambobin serial na na'ura, da timestamps. Yi amfani da sharp tare da .withMetadata(false) ko exif-parser don cire kafin ajiya.
  3. Ƙi SVGs da ke ɗauke da tags script ko masu sarrafa onload. SVG XML ne — kuma yawancin manhajojin da AI ke samarwa suna ba SVG damar lodawa kamar "hoton kawai." Yi amfani da DOMPurify a gefen sabar ko ki cikakken loda SVG.
  4. Yi amfani da sunayen fayil masu ƙayyadewa, marasa hasashe. Kar a kiyaye ainihin sunan fayil. Yi amfani da UUID ko hash na abubuwan fayil. Sunayen fayil na asali suna yoyo ("passport_scan_2024_01_15.jpg") kuma sunaye masu yiwuwar hasashe suna ba da damar ƙidaya.

URLs masu sa hannu

URLs masu sa hannu su ne yadda abokan ciniki ke samun damar buhunan na sirri. Karewa, iyakar buhun, da abin da ake yin rikodi suna da mahimmanci.

  1. Tsohon karewar URL masu sa hannu zuwa sa'a 1 ko ƙasa. createSignedUrl(path, expiresIn) na Supabase JS SDK yana ɗaukar daƙiƙa. Kar a taɓa amfani da ƙimomi kamar 31536000 (shekara ɗaya) — URL ya zama dindindin mai rabin-jama'a.
  2. Kar a taɓa ajiyar URLs masu sa hannu a bayananku. Samar da sababbi a gefen-sabar a kowane buƙata. URL da aka sa hannu da aka ajiye da karewar shekara ɗaya wanda ya yoyo ta hanyar zubar bayanan yana ba da damar tsawon lokaci.
  3. Yi rikodi samar da URL mai sa hannu, ba kawai loda fayiloli ba. Idan kun yi shakka game da haɗari daga baya, kuna buƙatar sanin wanda ya samar da URL ɗin na kowane lokaci. Yi rikodi auth.uid() + buhun + hanyar abu + timestamp.
  4. Yi amfani da zaɓin downloadAs lokacin yin sabis na fayilolin da mai amfani ya loda. createSignedUrl(path, expiresIn, { download: '.jpg' }) yana tilasta kanun Content-Disposition: attachment don haka fayil ɗin yana sauke maimakon yin nuni — yana kayar da ajin aiwatar da HTML / SVG / HTML-cikin-PDF.

Tsabtar aiki

Saitin ajiya yana motsawa cikin lokaci. Waɗannan abubuwa huɗu na aiki suna kiyaye saman matsi.

  1. Bincika buhunan a kowane uku-uku watanni. Dashboard → Storage → Buckets. Tabbatar yanayin jama'a/sirri da jeren nau'ikan MIME suna daidai da abin da manhajar ke tsammani. Buhunan da aka ƙirƙira "na ɗan lokaci" sun zama dindindin idan babu wanda ya cire su.
  2. Lura da ayyukan jeren marasa suna. Logs na ajiya (Dashboard → Logs → Storage) suna yin rikodin buƙatun LIST. Karuwar buƙatun jeren marasa suna akan buhun na sirri yana nufin wani yana binciken daga waje.
  3. Saita manufar riƙewa don lodi na ɗan lokaci. Buhunan-temp (hoton-nuni, lodi-zayyana) ya kamata su share-kansu bayan sa'o'i 24-72 ta hanyar aiki da aka tsara. Riƙewa marar iyaka shi ne nauyi ƙarƙashin GDPR / CCPA da ayyukan rage-bayanai.
  4. Gudanar da binciken FixVibe kowane wata. Binciken baas.supabase-storage-public yana bincika buhunan da ke amsa GET + LIST marar suna. Sabbin buhunan suna ƙarawa; tsofaffi suna canza gani — kawai bincike na ci gaba yana kama motsi.

Matakai na gaba

Gudanar da binciken FixVibe akan URL ɗin samarwarku — jerin ajiya marasa suna suna bayyana ƙarƙashin baas.supabase-storage-public. Haɗa wannan jeren tare da Na'urar bincike ta Supabase RLS don layin tebur da An fallasa maɓallin matsayin sabis na Supabase a cikin JavaScript don kusantar fallasa-maɓallin. Don kuskuren saitin ajiya a cikin sauran masu samar da BaaS, duba Na'urar bincike na kuskuren saiti na BaaS.

// yi bincike kan saman BaaS naka

Sami teburin bude kafin wani ya same shi.

Sakawa URL ɗin samarwa. FixVibe yana ƙidaya masu samar da BaaS da manhajarku ke magana da su, yana yi musu fingaprint na ƙarshen jama'a, kuma yana ba da rahoton abin da abokin ciniki marar tabbatarwa zai iya karantawa ko rubuta. Kyauta, ba shigarwa, ba kati.

  • Matakin kyauta — 3 bincike / wata, ba kati na sa hannu.
  • Fingaprinta BaaS mai shiru — babu buƙatar tabbatar da dama.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, da ƙarin.
  • Umarni na gyara AI a kan kowane gano — manna komawa zuwa Cursor / Claude Code.
Gudanar da binciken BaaS kyauta

ba buƙatar sa hannu

Jeren bincike na tsaron buhun ajiya na Supabase: abubuwa 22 — Docs · FixVibe