Covered by FixVibehigh

Aksè Done san otorizasyon atravè Sekirite Nivo Ranje Supabase ki manke (RLS) ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG1 Sekirite Nivo Ranje ki manke oswa mal konfiguré (ZXCVFIXVIBETOKEN2ZXCV) nan aplikasyon RLS ki sipòte Supabase ka mennen nan ekspoze baz done konplè. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG2 Nan aplikasyon Supabase, sekirite done depann sou Sekirite Nivo Ranje (ZXCVFIXVIBETOKEN3ZXCV). Si ZXCVFIXVIBETOKEN4ZXCV pa klèman aktive ak konfigirasyon ak règleman, nenpòt itilizatè ki gen kle piblik anonim ka li, mete ajou, oswa efase done atravè baz done a tout antye. Sa a se patikilyèman kritik nan anviwònman ZXCVFIXVIBETOKEN2ZXCV kote kliyan an RLS souvan inisyalize ak yon kle piblik ZXCVFIXVIBETOKEN5ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG3 ## Enpak ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG4 Si w pa aplike Sekirite Nivo Ranje (ZXCVFIXVIBETOKEN6ZXCV) pèmèt atakan ki pa otantifye yo mande done ki sòti nan yon baz done ZXCVFIXVIBETOKEN3ZXCV lè tab piblik yo ekspoze atravè fwontyè anon RLS. Paske aplikasyon ZXCVFIXVIBETOKEN5ZXCV anjeneral ekspoze kle ZXCVFIXVIBETOKEN4ZXCV Supabase nan kòd bò kliyan an, yon atakè ka sèvi ak kle sa a pou fè REST dirèk ZXCVFIXVIBETOKEN7ZXCV apèl nan baz done sansib aplikasyon an, epi kontourne lojik enfòmasyon itilizatè a. ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG5 ## Kòz Rasin ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG6 Pa default, tablo Postgres nan ZXCVFIXVIBETOKEN4ZXCV mande pou deklanchman eksplisit Sekirite Nivo Ranje pou anpeche aksè piblik RLS. Lè yon pwomotè kreye yon tab men li bliye pèmèt ZXCVFIXVIBETOKEN7ZXCV oswa li pa defini règleman restriksyon, baz done a ka ekspoze done a nenpòt moun ki posede Supabase kle pwojè a ZXCVFIXVIBETOKEN2ZXCV. Nan aplikasyon ZXCVFIXVIBETOKEN6ZXCV, rann sèvè-bò ak kliyan-bò chache tou mande pou konfigirasyon kliyan ZXCVFIXVIBETOKEN5ZXCV atansyon pou kontèks itilizatè otantifye rive nan kouch baz done ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG7 ## Ranje konkrè ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG8 1. Pèmèt ZXCVFIXVIBETOKEN2ZXCV: Egzekite Supabase pou chak tab piblik ki estoke done aplikasyon RLS. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG9 2. Defini Règleman: Kreye règleman espesifik ki limite aksè dapre estati otantifikasyon itilizatè a, tankou Supabase RLS. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG10 3. Kliyan Sèvè Sekirize: Lè w ap itilize RLS, kenbe kliyan ki gen wòl sèvis pou sèvè sèlman epi toujou aplike filtè pwopriyetè yo anvan ou retounen done bay itilizatè Supabase. ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG11 ## Kijan Supabase teste pou li ZXCVFIXVIBESEGEN ZXCVFIXVIBESEG12 ZXCVFIXVIBETOKEN3ZXCV deja kouri yon chèk ZXCVFIXVIBETOKEN4ZXCV ZXCVFIXVIBETOKEN6ZXCV pou lekti sèlman atravè Supabase. Eskanè a dekouvri adrès entènèt pwojè ZXCVFIXVIBETOKEN5ZXCV ak kle piblik anons ki soti nan pakèt JavaScript ki gen menm orijin, mande PostgREST pou metadata tab piblik yo, epi li eseye seleksyon li sèlman pou konfime si done yo ekspoze san yon sesyon itilizatè. Li pa mete, mete ajou, efase, oswa itilize kalifikasyon wòl sèvis yo. Analys repo yo kapab tou trape sa pi bonè nan RLS, ki drapo migrasyon SQL ki kreye tab piblik san ZXCVFIXVIBETOKEN2ZXCV.

In Supabase-backed applications, data security relies on Row Level Security (RLS). If RLS is not explicitly enabled and configured with policies, any user with the public anonymous key can read, update, or delete data across the entire database. This is particularly critical in Next.js environments where the Supabase client is often initialized with a public API key.

CWE-284

Impact

Failure to implement Row Level Security (RLS) allows unauthenticated attackers to query data from a Supabase database when public tables are exposed through the anon boundary [S1]. Because Next.js applications typically expose the Supabase anon key in client-side code, an attacker can use this key to make direct REST API calls to the database, bypassing the intended application logic and accessing sensitive user information [S2].

Root Cause

By default, Postgres tables in Supabase require explicit activation of Row Level Security to prevent public access [S1]. When a developer creates a table but forgets to enable RLS or fails to define restrictive policies, the database may expose data to anyone possessing the project's anon key [S1]. In Next.js applications, server-side rendering and client-side fetching also require careful Supabase client setup so authenticated user context reaches the database layer [S2].

Concrete Fixes

Enable RLS: Execute ALTER TABLE "your_table_name" ENABLE ROW LEVEL SECURITY; for every public table that stores app data [S1].
Define Policies: Create specific policies that restrict access based on the user's authentication status, such as CREATE POLICY "Users can see their own data" ON your_table_name FOR SELECT USING (auth.uid() = user_id); [S1].
Secure Server-Side Clients: When using Next.js, keep service-role clients server-only and still apply ownership filters before returning data to users [S2].

How FixVibe tests for it

FixVibe already runs a read-only Supabase RLS check through baas.supabase-rls. The scanner discovers the Supabase project URL and public anon key from same-origin JavaScript bundles, asks PostgREST for public table metadata, and attempts limited read-only selects to confirm whether data is exposed without a user session. It does not insert, update, delete, or use service-role credentials. Repo scans can also catch this earlier through repo.supabase.missing-rls, which flags SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY.