Tasirin maharan
Mai hari zai iya samun damar shiga mara izini ga bayanan mai amfani mara izini, canza bayanan bayanai, ko sace kayan aikin ta hanyar amfani da sa ido na gama gari a cikin ayyukan MVP. Wannan ya haɗa da samun damar bayanan ɗan haya saboda rashin ikon sarrafawa [S4] ko amfani da leaks API makullin don jawo farashi da fitar da bayanai daga hadedde sabis [S2].
Tushen Dalili
A cikin gaggawa don ƙaddamar da MVP, masu haɓakawa-musamman waɗanda ke amfani da AI-taimakon "vibe codeing" - akai-akai suna yin watsi da saitunan tsaro na tushe. Abubuwan farko na waɗannan raunin sune:
- Leakage Sirrin *: Takaddun shaida, kamar kirtani na bayanai ko maɓallan mai bada AI, da gangan sun yi niyyar sarrafa sigar [S2].
- Karɓaɓɓen Ikon Samun Karye: Aikace-aikace sun kasa aiwatar da tsauraran iyakoki, kyale masu amfani don samun damar albarkatu na wasu [S4].
- Sharuɗɗan Sharuɗɗan Bayanan Bayanai *: A cikin BaaS na zamani (Backend-as-a-Service) saitin kamar Supabase, kasawa da kuma daidaita daidaitaccen Tsaro Level Tsaro (BaaS) don buɗe bayanan abokin ciniki kai tsaye ta hanyar buɗe bayanan abokin ciniki. dakunan karatu [S5].
Saukewa: ZXCVFIXVIBESEG10
- Rauni Token Management: Rashin kulawa da alamun tabbatarwa na iya haifar da satar zaman zama ko ba da izini ba API samun damar [S3].
Saukewa: ZXCVFIXVIBESEG11
Gyaran Kankare
Saukewa: ZXCVFIXVIBESEG12
Aiwatar da Tsaro matakin Layi (RLS)
Saukewa: ZXCVFIXVIBESEG13 Don aikace-aikace masu amfani da tushen baya na Postgres kamar Supabase, RLS dole ne a kunna akan kowane tebur. RLS yana tabbatar da cewa injin bayanan da kansa yana aiwatar da iyakokin shiga, yana hana mai amfani tambayar bayanan wani mai amfani koda kuwa suna da ingantacciyar token [S5].
Saukewa: ZXCVFIXVIBESEG14
Binciken Sirrin Kai tsaye
Saukewa: ZXCVFIXVIBESEG15 Haɗa bincike na sirri a cikin ayyukan haɓakawa don ganowa da toshe turawar takaddun shaida kamar maɓallan API ko takaddun shaida [S2]. Idan wani sirri ya tonu, dole ne a soke shi kuma a jujjuya shi nan da nan, saboda ya kamata a yi la'akari da shi a matsayin wanda aka yi wa laifi [S2].
Saukewa: ZXCVFIXVIBESEG16
Aiwatar da Tsananin Ayyukan Token
Saukewa: ZXCVFIXVIBESEG17 Bi ka'idodin masana'antu don tsaro na alamar, gami da yin amfani da amintattun, kukis na HTTP-kawai don gudanar da zaman da kuma tabbatar da alamun an takura masu aikawa a inda zai yiwu don hana sake amfani da maharan [S3].
Aiwatar da Gaba ɗaya Tsaron Gidan Yanar Gizo
Saukewa: ZXCVFIXVIBESEG19 Tabbatar cewa aikace-aikacen yana aiwatar da daidaitattun matakan tsaro na gidan yanar gizo, kamar Manufofin Tsaro na Abun ciki (CSP) da amintattun ka'idojin sufuri, don rage yawan hare-hare na tushen burauza [S1].
Saukewa: ZXCVFIXVIBESEG20
Yadda FixVibe yayi gwajinsa
Saukewa: ZXCVFIXVIBESEG21 FixVibe ya rigaya ya rufe wannan aji na zubewar bayanai a saman fagagen binciken rayuwa da yawa:
- Supabase RLS fallasa *:
baas.supabase-rlsyana fitar da jama'a Supabase URL/maɓallai-maɓalli daga asalin- asali iri ɗaya, ƙididdige abubuwan da aka fallasa a kan fassarori, ƙididdige ƙididdigan da aka fallasa a kan PostgREST. ko an fallasa bayanan tebur.
Bayanin ZXCVFIXVIBESEG1
- Repo RLS gibin *:
repo.supabase.missing-rlssake dubawa sun ba da izini GitHub ƙaura SQL don teburan jama'a waɗanda aka ƙirƙira ba tare da madaidaicin hijirarALTER TABLE ... ENABLE ROW LEVEL SECURITY - Supabase Matsayin ajiya:
baas.supabase-security-checklist-backfillyana bitar jama'a ma'ajiyar guga metadata da fallasa jeri ba tare da loda ko canza bayanan abokin ciniki ba. - Sirrin sirri da yanayin burauza:
secrets.js-bundle-sweep,headers.security-headers, daheaders.cookie-attributestuta sun zubda shaidar shaidar gefen abokin ciniki, rasa manyan kanun bayanai, da raunin tutocin kuki. - Binciken sarrafa damar shiga gated *: lokacin da abokin ciniki ya ba da damar dubawa mai aiki kuma an tabbatar da ikon mallakar yanki, gwajin
active.idor-walkingdaactive.tenant-isolationsun gano hanyoyin don hanyar IDOR/ salon BOLA da bayyanar bayanan ɗan haya.