FixVibe
Covered by FixVibehigh

Samun Bayanai mara izini ta Bacewar Supabase Tsaro Matsayin Layi (RLS)

A cikin aikace-aikacen da ke da goyon bayan Supabase, tsaron bayanai ya dogara da Tsaro Level (RLS). Idan ba a kunna RLS a sarari ba kuma an daidaita shi tare da manufofi, kowane mai amfani da maɓallin jama'a wanda ba a san shi ba zai iya karantawa, sabuntawa, ko share bayanai a cikin dukkan bayanan. Wannan yana da mahimmanci musamman a cikin wuraren Next.js inda ake fara farawa abokin ciniki na Supabase tare da maɓallin API na jama'a.

CWE-284

Tasiri

Rashin aiwatar da Tsaron Matsayin Row (RLS) yana ba wa maharan da ba a tabbatar da su damar yin tambaya daga bayanan Supabase lokacin da aka fallasa teburin jama'a ta hanyar iyaka [S1]. Saboda aikace-aikacen Next.js yawanci suna fallasa Supabase anon a cikin lambar gefen abokin ciniki, mai hari na iya amfani da wannan maɓallin don yin kira kai tsaye REST API zuwa ga bayanan mai amfani da aka yi niyya, ta hanyar shiga bayanan sirri da aka yi niyya. [S2].

Tushen Dalili

Ta hanyar tsohuwa, Teburan Postgres a cikin Supabase suna buƙatar kunna matakin Tsaro a sarari don hana damar jama'a [S1]. Lokacin da mai haɓakawa ya ƙirƙiri tebur amma ya manta don kunna RLS ko ya kasa ayyana tsare-tsaren tsare-tsare, bayanan na iya fallasa bayanai ga duk wanda ya mallaki maɓallin anon na aikin [S1]. A cikin aikace-aikacen Next.js, ma'anar sabar-gefen sabar da ɗauko gefen abokin ciniki suma suna buƙatar saitin abokin ciniki na Supabase a hankali don haka ingantaccen mahallin mai amfani ya kai ga Layer database [S2].

Gyaran Kankare

  • Kunna RLS: Yi ALTER TABLE "your_table_name" ENABLE ROW LEVEL SECURITY; ga kowane tebur na jama'a wanda ke adana bayanan app [S1].
  • Bayyana Manufofin: Ƙirƙiri takamaiman manufofi waɗanda ke hana samun dama bisa ga matsayin mai amfani, kamar CREATE POLICY "Users can see their own data" ON your_table_name FOR SELECT USING (auth.uid() = user_id); [S1].

Saukewa: ZXCVFIXVIBESEG10

  • Amintattun Abokan Side-Server: Lokacin amfani da Next.js, kiyaye aikin abokin ciniki uwar garken-kawai kuma har yanzu a yi amfani da matatun mallakar mallaka kafin mayar da bayanai ga masu amfani [S2].

Saukewa: ZXCVFIXVIBESEG11

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG12 FixVibe tuni yana gudanar da karantawa kawai Supabase RLS duba ta hanyar baas.supabase-rls. Na'urar daukar hotan takardu ta gano URL na aikin Supabase da maɓalli anon jama'a daga tushen guda ɗaya na JavaScript, yana tambayar PostgREST don yawan bayanan tebur na jama'a, kuma ƙoƙarin iyakance karantawa kawai yana zaɓar don tabbatar da ko an fallasa bayanai ba tare da taron mai amfani ba. Ba ya sakawa, sabuntawa, sharewa, ko amfani da takaddun shaidar aikin sabis. Repo scans kuma na iya kama wannan a baya ta hanyar repo.supabase.missing-rls, wanda ke nuna ƙaura na SQL waɗanda ke ƙirƙirar tebur na jama'a ba tare da ENABLE ROW LEVEL SECURITY ba.