FixVibe
Covered by FixVibehigh

ZXCVFIKVIBESEG0. Hu ki he fakamatala ta'efakamafai'i 'o fakafou 'i he mole 'a e Supabase Malu'i 'o e Levolo 'o e Laine (RLS) ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. 'E lava ke taki 'e he mole pe misconfigured 'a e Malu'i 'o e Levolo 'o e Laine (ZXCVFIXVIBETOKEN2ZXCV) 'i he Supabase-poupou'i 'e he RLS apps ki he faka'ali'ali kakato 'o e fakamatala. ZXCVFIXVIBESEND ZXCVFIKVIBESEG2. 'I he ngaahi polokalama 'oku poupou'i 'e he Supabase, 'oku fakafalala 'a e malu 'o e fakamatala ki he Malu 'o e Levolo 'o e Laine (ZXCVFIXVIBETOKEN3ZXCV). Kapau 'oku 'ikai ke faka'ata mahino 'a e ZXCVFIXVIBETOKEN4ZXCV mo configured 'aki 'a e ngaahi tu'utu'uni, 'e lava ke lau 'e ha taha 'oku ne ngaue'aki 'a e kī 'o e kakai 'oku 'ikai fakahaa'i hono hingoa, fakafo'ou, pe tamate'i 'a e fakamatala 'i he kotoa 'o e fakamatala. 'Oku mahu'inga 'aupito 'eni 'i he ngaahi 'atakai 'o e ZXCVFIXVIBETOKEN2ZXCV 'a ia 'oku fa'a kamata'i ai 'a e kalaieni 'o e RLS 'aki ha kī fakapule'anga ZXCVFIXVIBETOKEN5ZXCV. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. Ko e ta'elava ke fakahoko 'a e Malu'i 'o e Levolo 'o e Laine (ZXCVFIXVIBETOKEN6ZXCV) 'oku ne faka'ata 'a e kau 'ohofi ta'efakamo'oni'i ke nau fehu'i 'a e fakamatala mei ha fakamatala 'o e ZXCVFIXVIBETOKEN3ZXCV 'i he taimi 'oku fakahaa'i ai 'a e ngaahi tepile fakapule'anga 'o fakafou 'i he ngata'anga 'o e anon RLS. Koe'uhi ko e ngaahi polokalama 'oku angamaheni 'aki hono fakahaa'i 'a e kī 'i he code 'o e tafa'aki 'o e client, 'e lava ke faka'aonga'i 'e ha tokotaha 'ohofi 'a e kī ko 'eni ke fai 'a e ngaahi ui fakahangatonu 'o e hū ki he fakamatala 'o e fakamatala, 'e he ZXCVFIKIVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. 'I he default, 'Oku fie ma'u 'e he ngaahi tepile 'o e Postgres 'i he ZXCVFIXVIBETOKEN4ZXCV 'a e faka'aonga'i mahino 'o e Malu'i 'o e Levolo 'o e Laine ke ta'ofi 'a e 'alunga 'a e kakai RLS. 'I he taimi 'oku fa'u ai 'e ha tokotaha fakalakalaka ha tepile ka 'oku ngalo ke faka'ata 'a e ZXCVFIXVIBETOKEN7ZXCV pe 'ikai ke ne faka'uhinga'i 'a e ngaahi tu'utu'uni fakangatangata, 'e lava ke fakahaa'i 'e he database 'a e fakamatala ki ha taha 'oku ne ma'u 'a e kī 'o e Supabase 'o e poloseki ZXCVFIXVIBETOKEN2ZXCV. 'I he ngaahi polokalama ZXCVFIXVIBETOKEN6ZXCV, 'oku fie ma'u foki 'e he 'omi 'o e tafa'aki 'o e seva mo e fetching 'o e tafa'aki 'o e kau fakatau 'a e setup tokanga 'o e kau fakatau ZXCVFIXVIBETOKEN5ZXCV ko ia 'oku a'u 'a e tu'unga 'o e tokotaha faka'aonga'i 'oku fakamo'oni'i ki he layer 'o e fakamatala ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. ## Ngaahi Fakalelei'i Sima ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. 1. **Faka'ata 'a e ZXCVFIXVIBETOKEN2ZXCV:** Fakahoko 'a e Supabase ki he tepile fakapule'anga kotoa pe 'oku ne tanaki 'a e fakamatala 'o e app RLS. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. 2. **Faka'uhinga'i 'a e ngaahi tu'utu'uni:** Fa'u ha ngaahi tu'utu'uni pau 'oku fakangatangata 'a e hū 'o makatu'unga 'i he tu'unga fakamo'oni 'o e tokotaha 'oku ne ngaue'aki, hange ko e Supabase RLS. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 3. **Malu'i 'a e kau fakatau 'o e tafa'aki 'o e seva:** 'I hono faka'aonga'i 'o e RLS, tauhi 'a e kau fakatau 'o e sevesi-fatongia server-pe pea kei faka'aonga'i 'a e ngaahi filita 'o e 'ea kimu'a pea toki fakafoki 'a e fakamatala ki he kau faka'aonga'i Supabase. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 ## Founga 'oku sivi'i ai 'e he Supabase ki ai ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 'Oku 'osi lele 'a e ZXCVFIXVIBETOKEN3ZXCV ha sivi lau-pe 'o fakafou 'i he Supabase. 'Oku 'ilo 'e he scanner 'a e ZXCVFIXVIBETOKEN5ZXCV polokalama URL mo e kī anon fakapule'anga mei he ngaahi fu'u 'akau JavaScript tupu'anga tatau, kole PostgREST ki he metadata 'o e tepile fakapule'anga, pea feinga fakangatangata 'a e lau-pe fili ke fakapapau'i pe 'oku fakahaa'i 'a e fakamatala 'o 'ikai ha fakataha 'a e tokotaha faka'aonga'i. ʻOku ʻikai ke ne fakahū, fakafoʻou, tamateʻi, pe fakaʻaongaʻi ʻa e ngaahi fakamoʻoni ʻo e service-role. 'E lava foki ke ma'u 'e he ngaahi sikani 'o e Repo 'a e me'a ni kimu'a ange 'o fakafou 'i he RLS, 'a ia 'oku ne faka'ilonga'i 'a e ngaahi hiki SQL 'oku ne fa'u 'a e ngaahi tepile fakapule'anga 'o 'ikai ha ZXCVFIXVIBETOKEN2ZXCV.

In Supabase-backed applications, data security relies on Row Level Security (RLS). If RLS is not explicitly enabled and configured with policies, any user with the public anonymous key can read, update, or delete data across the entire database. This is particularly critical in Next.js environments where the Supabase client is often initialized with a public API key.

CWE-284

Impact

Failure to implement Row Level Security (RLS) allows unauthenticated attackers to query data from a Supabase database when public tables are exposed through the anon boundary [S1]. Because Next.js applications typically expose the Supabase anon key in client-side code, an attacker can use this key to make direct REST API calls to the database, bypassing the intended application logic and accessing sensitive user information [S2].

Root Cause

By default, Postgres tables in Supabase require explicit activation of Row Level Security to prevent public access [S1]. When a developer creates a table but forgets to enable RLS or fails to define restrictive policies, the database may expose data to anyone possessing the project's anon key [S1]. In Next.js applications, server-side rendering and client-side fetching also require careful Supabase client setup so authenticated user context reaches the database layer [S2].

Concrete Fixes

  • Enable RLS: Execute ALTER TABLE "your_table_name" ENABLE ROW LEVEL SECURITY; for every public table that stores app data [S1].
  • Define Policies: Create specific policies that restrict access based on the user's authentication status, such as CREATE POLICY "Users can see their own data" ON your_table_name FOR SELECT USING (auth.uid() = user_id); [S1].
  • Secure Server-Side Clients: When using Next.js, keep service-role clients server-only and still apply ownership filters before returning data to users [S2].

How FixVibe tests for it

FixVibe already runs a read-only Supabase RLS check through baas.supabase-rls. The scanner discovers the Supabase project URL and public anon key from same-origin JavaScript bundles, asks PostgREST for public table metadata, and attempts limited read-only selects to confirm whether data is exposed without a user session. It does not insert, update, delete, or use service-role credentials. Repo scans can also catch this earlier through repo.supabase.missing-rls, which flags SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY.