FixVibe
Covered by FixVibehigh

Tabbatar da Next.js + Supabase: Hana Tsaro matakin Layi (RLS) Wuta

Aikace-aikacen da aka gina tare da Next.js da Supabase galibi suna dogara da Tsaro Level (RLS) don kare bayanai. Rashin kunna RLS ko kuskuren daidaita abokin ciniki na Supabase na iya haifar da cikakkiyar fallasa bayanan bayanai, kyale masu amfani mara izini don karantawa ko canza bayanai masu mahimmanci.

CWE-284

Tasiri

Maharan na iya ƙetare dabarun aikace-aikace don karantawa, sabuntawa, ko share bayanan da ke cikin ma'ajin bayanai idan ba a aiwatar da Tsaron Matsayin Row (RLS) da kyau ba [S1]. Wannan sau da yawa yana haifar da fallasa Bayanin Identifiable Keɓaɓɓen (PII) ko bayanan aikace-aikace masu mahimmanci ga masu amfani waɗanda kawai ke da damar yin amfani da maɓallin API na jama'a wanda ba a san su ba.

Tushen Dalili

Supabase yana amfani da Tsaro Level Level na Postgres don sarrafa samun damar bayanai a matakin ma'ajin bayanai, wanda shine mahimmanci don adana bayanai [S1]. A cikin yanayin Next.js, masu haɓakawa dole ne su ƙirƙiri abokin ciniki na Supabase wanda ke sarrafa kukis da zama daidai don kiyaye tsaro yayin aikin sabar-gefen [S2]. Lalacewar yawanci suna tasowa lokacin da:

  • An ƙirƙiri Tables ba tare da kunna RLS ba, yana sa su sami dama ta hanyar maɓalli na jama'a [S1].
  • Abokin ciniki na Supabase an yi kuskure a cikin Next.js, kasawa da kyau wuce alamun tabbatar da mai amfani zuwa bayanan [S2].
  • Masu haɓakawa da gangan suna amfani da maɓallin service_role a cikin lambar gefen abokin ciniki, wanda ke ƙetare duk manufofin RLS [S1].

Saukewa: ZXCVFIXVIBESEG10

Gyaran Kankare

Saukewa: ZXCVFIXVIBESEG11

  • Kunna RLS: Tabbatar an kunna Tsaro Level ga kowane tebur a cikin Supabase database [S1].

Saukewa: ZXCVFIXVIBESEG12

  • Ƙayyade Manufofin: Ƙirƙirar takamaiman manufofin Postgres don SELECT, INSERT, UPDATE, da DELETE ayyuka don ƙuntata damar shiga UID dangane da ayyukan mai amfani. Saukewa: [S1].

Saukewa: ZXCVFIXVIBESEG13

  • Yi amfani da Abokan Ciniki na SSR: Aiwatar da kunshin @supabase/ssr don ƙirƙirar abokan ciniki a cikin Next.js waɗanda ke sarrafa amincin gefen uwar garken da juriyar zaman [S2].

Saukewa: ZXCVFIXVIBESEG14

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG15 FixVibe ya riga ya rufe wannan ta hanyar aikace-aikacen da aka tura da sake dubawa. Modulun baas.supabase-rls na m yana gano Supabase URL da nau'i-nau'i marasa maɓalli daga nau'ikan JavaScript iri ɗaya, yana tambayar PostgREST don metadata na tebur na jama'a, kuma yana yin zaɓin karantawa kawai don tabbatar da bayyanar bayanan sirri ba tare da canza bayanan abokin ciniki ba. Repo scans kuma yana gudanar da repo.supabase.missing-rls don tuta ƙaura na SQL waɗanda ke ƙirƙirar tebur na jama'a ba tare da ENABLE ROW LEVEL SECURITY ba, kuma sikanin sirri suna neman fallasa maɓallin aikin sabis kafin ya isa mai binciken.