Covered by FixVibehigh

Sekirize Next.js + Supabase: Anpeche Sekirite Nivo Ranje (RLS) Bypass ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG1 Aprann kijan pou sekirize aplikasyon Next.js ak Supabase ou lè w byen konfigirasyon Sekirite Nivo Ranje (RLS) ak kliyan bò sèvè. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG2 Aplikasyon ki bati ak RLS ak Supabase souvan konte sou Sekirite Nivo Ranje (ZXCVFIXVIBETOKEN3ZXCV) pou pwoteje done yo. Si w pa pèmèt ZXCVFIXVIBETOKEN4ZXCV oswa move konfigirasyon kliyan Next.js a, sa ka lakòz yon ekspoze konplè nan baz done, sa ki pèmèt itilizatè ki pa otorize li oswa modifye dosye sansib yo. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG3 ## Enpak ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG4 Atakè yo ka kontoune lojik aplikasyon pou li, mete ajou oswa efase dosye ki nan baz done a si Sekirite Nivo Ranje (Next.js) pa byen aplike Supabase. Sa a souvan lakòz enfòmasyon yo idantifye pèsonèlman (PII) oswa done aplikasyon sansib pou itilizatè ki sèlman gen aksè a kle piblik anonim RLS. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG5 ## Kòz Rasin ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG6 RLS sèvi ak Postgres Row Level Security pou jere aksè done nan nivo baz done, ki se fondamantal pou sekirize done Supabase. Nan yon anviwònman ZXCVFIXVIBETOKEN4ZXCV, devlopè yo dwe kreye yon kliyan ZXCVFIXVIBETOKEN3ZXCV ki kòrèkteman okipe bonbon ak sesyon pou kenbe sekirite pandan rann bò sèvè Next.js. Vilnerabilite anjeneral rive lè: ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG7 1. Yo kreye tab san yo pa pèmèt Next.js, sa ki fè yo aksesib atravè kle piblik Supabase. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG8 2. Kliyan Next.js a mal konfiguré nan RLS, li pa byen pase siy otantifikasyon itilizatè a nan baz done Supabase. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG9 3. Devlopè a aza/chans itilize kle Supabase nan kòd kliyan-bò, ki contourne tout RLS politik Next.js. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG10 ## Ranje konkrè ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG11 1. Pèmèt RLS: Asire Sekirite Nivo Ranje aktive pou chak tab nan baz done Next.js ou Supabase. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG12 2. Defini Règleman: Kreye règleman Postgres espesifik pou Supabase, Next.js, RLS, ak ZXCVFIXVIBETOKEN3ZXCV operasyon pou mete restriksyon sou aksè ki baze sou itilizatè a RLS. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG13 3. Sèvi ak Kliyan SSR: Aplike pake Supabase pou kreye kliyan nan RLS ki byen jere otantifikasyon bò sèvè ak pèsistans sesyon Next.js. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG14 ## Kijan Supabase teste pou li ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG15 ZXCVFIXVIBETOKEN3ZXCV deja kouvri sa atravè deplwaye-app ak chèk repo. Modil Supabase pasif la dekouvri URL ZXCVFIXVIBETOKEN4ZXCV ak pè anons ki soti nan pakèt JavaScript ki gen menm orijin, mande PostgREST pou metadata tab piblik yo, epi li fè seleksyon limite pou lekti sèlman pou konfime ekspoze done anonim san yo pa chanje done kliyan yo. Analyse repo yo tou kouri Next.js pou make migrasyon SQL ki kreye tab piblik san RLS, ak analiz sekrè chèche ekspoze kle wòl sèvis anvan li rive nan navigatè a.

Applications built with Next.js and Supabase often rely on Row Level Security (RLS) to protect data. Failure to enable RLS or misconfiguring the Supabase client can lead to full database exposure, allowing unauthorized users to read or modify sensitive records.

CWE-284

Impact

Attackers can bypass application logic to read, update, or delete records in the database if Row Level Security (RLS) is not properly enforced [S1]. This often results in the exposure of Personally Identifiable Information (PII) or sensitive application data to users who only have access to the public anonymous API key.

Root Cause

Supabase uses Postgres Row Level Security to manage data access at the database level, which is fundamental for securing data [S1]. In a Next.js environment, developers must create a Supabase client that correctly handles cookies and sessions to maintain security during server-side rendering [S2]. Vulnerabilities typically arise when:

Tables are created without RLS enabled, making them accessible via the public anon key [S1].
The Supabase client is misconfigured in Next.js, failing to properly pass user authentication tokens to the database [S2].
Developers accidentally use the service_role key in client-side code, which bypasses all RLS policies [S1].

Concrete Fixes

Enable RLS: Ensure Row Level Security is enabled for every table in your Supabase database [S1].
Define Policies: Create specific Postgres policies for SELECT, INSERT, UPDATE, and DELETE operations to restrict access based on the user's UID [S1].
Use SSR Clients: Implement the @supabase/ssr package to create clients in Next.js that correctly manage server-side authentication and session persistence [S2].

How FixVibe tests for it

FixVibe already covers this through deployed-app and repo checks. The passive baas.supabase-rls module discovers Supabase URL and anon-key pairs from same-origin JavaScript bundles, asks PostgREST for public table metadata, and performs limited read-only selects to confirm anonymous data exposure without mutating customer data. Repo scans also run repo.supabase.missing-rls to flag SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY, and secret scans look for service-role key exposure before it reaches the browser.