FixVibe
Covered by FixVibehigh

ZXCVFIKVIBESEG0. Malu'i 'o e Next.js + Supabase: Ta'ofi 'a e Malu 'o e Levolo 'o e Laine (RLS) Bypasses ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. Ako ki he founga ke malu'i ai ho'o Next.js mo e Supabase tohi kole 'aki hono configuring totonu 'a e Malu'i 'o e Levolo 'o e Laine (RLS) mo e kau fakatau 'o e tafa'aki 'o e server. ZXCVFIXVIBESEND ZXCVFIKVIBESEG2. 'Oku fa'a fakafalala 'a e ngaahi polokalama 'oku langa 'aki 'a e RLS mo e Supabase ki he Malu'i 'o e Levolo 'o e Laine (ZXCVFIXVIBETOKEN3ZXCV) ke malu'i 'a e fakamatala. Ko e ta'elava ke faka'ata 'a e ZXCVFIXVIBETOKEN4ZXCV pe misconfiguring 'a e Next.js client 'e lava ke ne taki atu ki he faka'ali'ali kakato 'o e fakamatala, 'o faka'ata 'a e kau faka'aonga'i ta'efakamafai'i ke nau lau pe fakalelei'i 'a e ngaahi lekooti mahu'inga. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. 'E lava ke bypass 'e he kau 'ohofi 'a e logic 'o e tohi kole ke lau, fakafo'ou, pe tamate'i 'a e ngaahi lekooti 'i he fakamatala kapau 'oku 'ikai ke fakahoko totonu 'a e Malu'i 'o e Levolo 'o e Laine (Next.js) Supabase. 'Oku fa'a iku 'eni ki hono fakahaa'i 'o e fakamatala fakafo'ituitui (PII) pe fakamatala 'o e polokalama mahu'inga ki he kau faka'aonga'i 'oku nau ma'u pe 'a e 'ata ki he kī 'o e kakai 'oku 'ikai fakahaa'i hono hingoa RLS. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. 'Oku faka'aonga'i 'e he RLS 'a e Malu'i 'o e Levolo 'o e Laine 'o e Postgres ke pule'i 'a e 'alunga 'o e fakamatala 'i he tu'unga 'o e fakamatala, 'a ia 'oku tefito ki hono malu'i 'o e fakamatala Supabase. 'I ha 'atakai 'o e ZXCVFIXVIBETOKEN4ZXCV, kuo pau ke fa'u 'e he kau developers ha ZXCVFIXVIBETOKEN3ZXCV 'a e kau fakatau 'oku ne tokanga'i totonu 'a e ngaahi kuki mo e ngaahi fakataha ke tauhi 'a e malu lolotonga 'a e server-taha 'o e 'omi 'o e Next.js. ʻOku faʻa hoko ʻa e ngaahi vaivaí ʻi he taimi: ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. 1. 'Oku fa'u 'a e ngaahi tepile 'o 'ikai ha Next.js faka'ata, 'o 'ai ke nau lava 'o ma'u 'o fakafou 'i he kī anon fakapule'anga Supabase. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. 2. 'Oku misconfigured 'a e Next.js 'i he RLS, 'ikai ke paasi totonu 'a e ngaahi faka'ilonga fakamo'oni 'o e tokotaha faka'aonga'i ki he fakamatala Supabase. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. 3. 'Oku faka'aonga'i fakatu'upakee 'e he kau fakalakalaka 'a e kī 'i he tafa'aki 'o e client, 'a ia 'oku ne bypasses 'a e ngaahi tu'utu'uni kotoa pe 'a e RLS Next.js. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 ## Ngaahi Fakalelei'i Sima ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 1. **Faka'ata 'a e RLS:** Fakapapau'i 'oku faka'ata 'a e Malu 'o e Levolo 'o e Laine ki he tepile kotoa pe 'i ho'o Next.js 'o e fakamatala Supabase. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 2. **Faka'uhinga'i 'a e ngaahi tu'utu'uni:** Fa'u ha ngaahi tu'utu'uni pau 'a e Postgres ki he Supabase, Next.js, RLS, mo e RLS, mo e ZXCVFIXVIBETOKEN3ZXCV ngaahi ngaue ke fakangatangata 'a e hū 'o makatu'unga 'i he ZXCVFIXVIBETOKEN3ZXCV's UserVIXFIXCVXFIXCVs4. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG13 3. **Ngaue'aki 'a e kau fakatau SSR:** Fakahoko 'a e Supabase 'a e kato ke fa'u 'a e kau fakatau 'i he RLS 'oku nau pule'i totonu 'a e fakamo'oni 'i he tafa'aki 'o e seva mo e session 'o e hokohoko atu Next.js. ZXCVFIXVIBESEND ZXCVFIKVIPESEG14 ## Founga 'oku sivi'i ai 'e he Supabase ki ai ZXCVFIXVIBESEND ZXCVFIKVIPESEG15 'Oku 'osi 'ufi'ufi 'e he ZXCVFIXVIBETOKEN3ZXCV 'a e me'a ni 'o fakafou 'i he ngaahi sieke 'o e deployed-app mo e repo. 'Oku 'ilo 'e he module Supabase passive 'a e Supabase URL mo e ngaahi hoa 'o e anon-ki mei he ngaahi fu'u 'akau JavaScript tupu'anga tatau, 'oku ne kole 'a e PostgREST ki he metadata 'o e tepile fakapule'anga, pea fakahoko 'a e ngaahi fili fakangatangata 'o e lau-pe ke fakapapau'i 'a e fakamatala 'oku 'ikai fakahaa'i 'a e fakamatala 'o e kasitomaa 'oku 'ikai fakahaa'i hono hingoa. 'Oku lele foki 'a e ngaahi sikani 'o e Repo 'a e Next.js ke faka'ilonga'i 'a e ngaahi hiki SQL 'oku nau fa'u 'a e ngaahi tepile fakapule'anga 'o 'ikai ha RLS, pea 'oku kumi 'e he ngaahi sikani fakapulipuli 'a e faka'ali'ali 'o e kī 'o e sevesi-fatongia kimu'a pea toki a'u ki he browser.

Applications built with Next.js and Supabase often rely on Row Level Security (RLS) to protect data. Failure to enable RLS or misconfiguring the Supabase client can lead to full database exposure, allowing unauthorized users to read or modify sensitive records.

CWE-284

Impact

Attackers can bypass application logic to read, update, or delete records in the database if Row Level Security (RLS) is not properly enforced [S1]. This often results in the exposure of Personally Identifiable Information (PII) or sensitive application data to users who only have access to the public anonymous API key.

Root Cause

Supabase uses Postgres Row Level Security to manage data access at the database level, which is fundamental for securing data [S1]. In a Next.js environment, developers must create a Supabase client that correctly handles cookies and sessions to maintain security during server-side rendering [S2]. Vulnerabilities typically arise when:

  • Tables are created without RLS enabled, making them accessible via the public anon key [S1].
  • The Supabase client is misconfigured in Next.js, failing to properly pass user authentication tokens to the database [S2].
  • Developers accidentally use the service_role key in client-side code, which bypasses all RLS policies [S1].

Concrete Fixes

  • Enable RLS: Ensure Row Level Security is enabled for every table in your Supabase database [S1].
  • Define Policies: Create specific Postgres policies for SELECT, INSERT, UPDATE, and DELETE operations to restrict access based on the user's UID [S1].
  • Use SSR Clients: Implement the @supabase/ssr package to create clients in Next.js that correctly manage server-side authentication and session persistence [S2].

How FixVibe tests for it

FixVibe already covers this through deployed-app and repo checks. The passive baas.supabase-rls module discovers Supabase URL and anon-key pairs from same-origin JavaScript bundles, asks PostgREST for public table metadata, and performs limited read-only selects to confirm anonymous data exposure without mutating customer data. Repo scans also run repo.supabase.missing-rls to flag SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY, and secret scans look for service-role key exposure before it reaches the browser.