FixVibe
Covered by FixVibehigh

Supabase Jerin Tsaro na Tsaro: RLS, API Maɓallan, da Ma'ajiya

Wannan labarin binciken yana zayyana mahimman matakan tsaro don ayyukan Supabase. Yana mai da hankali kan ingantaccen aiwatar da Tsaro Level Tsaro (RLS) don kare layuka na bayanai, amintaccen sarrafa maɓallan anon da sabis_role API, da tilasta ikon samun dama ga buckets ajiya don rage haɗarin fallasa bayanai da samun izini mara izini.

CWE-284CWE-668

Kugiya

Tabbatar da aikin Supabase yana buƙatar tsari mai nau'i-nau'i da yawa da ke mai da hankali kan sarrafa maɓalli na API, tsaro na bayanai, da izinin ajiya. [S1] Ba daidai ba a daidaita matakin Tsaro na Layi (RLS) ko maɓalli masu mahimmanci da aka fallasa na iya haifar da mahimman abubuwan fallasa bayanai. [S2] [S3]

Me ya canza

Wannan binciken yana ƙarfafa ainihin sarrafa tsaro don mahallin Supabase bisa jagororin gine-gine na hukuma. [S1] Yana mai da hankali kan sauyi daga saitunan ci gaba na asali zuwa madaidaitan samarwa, musamman game da hanyoyin sarrafawa. [S2] [S3]

Wanene abin ya shafa

Aikace-aikacen da ke amfani da Supabase azaman Sabis na Baya-as-a-Service (BaaS) an shafa su, musamman waɗanda ke sarrafa takamaiman bayanan mai amfani ko kadarorin masu zaman kansu. [S2] Masu haɓakawa waɗanda suka haɗa da maɓallin service_role a cikin daure-gefen abokin ciniki ko gaza ba da damar RLS suna cikin babban haɗari. [S1]

Yadda lamarin yake

Saukewa: ZXCVFIXVIBESEG10 Supabase yana ba da damar Tsaron Matsayin Row na PostgreSQL don hana samun damar bayanai. [S2] Ta hanyar tsohuwa, idan ba a kunna RLS akan tebur ba, duk mai amfani da maɓallin anon-wanda galibi jama'a ne-zai iya samun damar duk bayanan. [S1] Hakazalika, Supabase Adana yana buƙatar ƙayyadaddun manufofi don ayyana waɗanne masu amfani ko matsayin zasu iya yin ayyuka akan buckets na fayil. Saukewa: [S3]

Saukewa: ZXCVFIXVIBESEG11

Abin da maharin ke samu

Saukewa: ZXCVFIXVIBESEG12 Maharaci mai maɓalli na API na jama'a na iya yin amfani da teburan da suka ɓace RLS don karantawa, gyara, ko share bayanan wasu masu amfani. [S1] [S2] Samun dama ga bokitin ajiya mara izini na iya haifar da fallasa fayilolin mai amfani masu zaman kansu ko share mahimman kadarorin aikace-aikacen. [S3]

Saukewa: ZXCVFIXVIBESEG13

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG14 FixVibe yanzu ya rufe wannan a matsayin wani ɓangare na bincikensa na Supabase. baas.supabase-security-checklist-backfill yana bitar jama'a Supabase metadata na ma'ajiya, fallasa jerin abubuwan da ba'a san su ba, suna mai fa'ida, da siginonin Ma'ajiya mara ɗaure daga kan iyakar jama'a. Abubuwan duban rayuwa masu alaƙa suna duba faɗuwar maɓalli na sabis, Supabase REST/RLS matsayi, da ƙaurawar SQL na ajiya don rasa RLS.

Saukewa: ZXCVFIXVIBESEG15

Me zai gyara

Saukewa: ZXCVFIXVIBESEG16 Koyaushe kunna Tsaro Level Tsaro akan teburin bayanai kuma aiwatar da ƙayyadaddun manufofi don ingantattun masu amfani. [S2] Tabbatar cewa kawai maɓallin 'anon' ana amfani da lambar gefen abokin ciniki, yayin da maɓallin 'service_role' ya rage akan sabar. [S1] Sanya Ikon Samun Ma'aji don tabbatar da cewa gugayen fayil na sirri ne ta tsohuwa kuma ana ba da dama ta hanyar ƙayyadaddun manufofin tsaro. [S3]