FixVibe
Covered by FixVibehigh

ZXCVFIKVIBESEG0. Supabase Lisi Malu: RLS Ngaahi Kī, mo e Tauhiʻanga ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. Lisi malu'i mahu'inga ki he Supabase: fakahoko 'a e Malu'i 'o e Levolo 'o e Laine (RLS), pule'i 'o e ngaahi kī 'o e API, mo hono malu'i 'o e ngaahi pakete tauhi'anga ke ta'ofi 'a e hū ta'efakangofua 'o e fakamatala. ZXCVFIXVIBESEND ZXCVFIKVIBESEG2. 'Oku fokotu'u atu 'e he fakamatala fakatotolo ko 'eni 'a e ngaahi fakalelei'anga malu'i mahu'inga ki he ngaahi poloseki Supabase. 'Oku fakatefito ia 'i hono fakahoko totonu 'o e Malu'i 'o e Levolo 'o e Laine (RLS) ke malu'i 'a e ngaahi laine 'o e fakamatala, malu 'a e tokanga'i 'o e anon mo e service_role API ngaahi kī, pea mo hono fakamālohi'i 'o e pule'i 'o e hū ki he ngaahi pakete 'o e tanaki'anga ke fakasi'isi'i 'a e ngaahi fakatu'utamaki 'o e fakamatala 'oku faka'ali'ali 'a e unahorized mo e unahorized. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Ko e matau . ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. Ko hono malu'i 'o ha poloseki ZXCVFIXVIBETOKEN3ZXCV 'oku fie ma'u ha founga 'o e ngaahi la'ipepa lahi 'oku tokanga taha ki he pule'i 'o e ngaahi kī 'o e ZXCVFIXVIBETOKEN5ZXCV, malu'i 'o e fakamatala, mo e ngaahi ngofua 'o e tanaki'anga. Supabase 'E lava ke taki 'e he Malu'i 'o e Levolo 'o e Laine 'oku 'ikai ke totonu hono fakalelei'i (ZXCVFIXVIBETOKEN4ZXCV) pe 'oku fakahaa'i 'a e ngaahi kī 'oku mahu'inga ki he ngaahi me'a mahu'inga 'oku hoko 'i he fakahaa'i 'o e fakamatala. ZXCVFIXVIPETOKEN1ZXCV ZXCVFIXVIPETOKEN2ZXCV ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Ko e me'a na'e liliu . ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. 'Oku fakatahataha'i 'e he fakatotolo ko 'eni 'a e ngaahi pule malu'i tefito ki he ngaahi 'atakai 'o e ZXCVFIXVIBETOKEN3ZXCV 'o makatu'unga 'i he ngaahi fakahinohino faka'ofisiale 'o e langa. Supabase 'Oku ne tokanga taha ki he liliu mei he ngaahi configurations fakalakalaka 'o e default ki he ngaahi tu'unga 'o e ngaohi-fakafefeka, tautautefito ki he ngaahi founga pule'i 'o e hū. ZXCVFIXVIPETOKEN1ZXCV ZXCVFIXVIPETOKEN2ZXCV ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. ## Ko hai 'oku uesia . ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. 'Oku uesia 'a e ngaahi polokalama 'oku nau faka'aonga'i 'a e ZXCVFIXVIBETOKEN3ZXCV ko ha Backend-ko-ha-Sevesi (ZXCVFIXVIBETOKEN5ZXCV), tautautefito kiate kinautolu 'oku nau tokanga'i 'a e fakamatala 'o e tokotaha faka'aonga'i pe ngaahi koloa fakafo'ituitui. RLS Ko e kau fakalakalaka 'oku nau fakakau 'a e kī 'o e Supabase 'i he ngaahi fu'u 'akau 'o e tafa'aki 'o e client pe 'ikai ke nau lava 'o faka'ata 'a e ZXCVFIXVIBETOKEN4ZXCV 'oku nau 'i he tu'unga fakatu'utamaki lahi. API ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. ## Founga ngaue 'a e issue . ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 'Oku faka'aonga'i 'e he ZXCVFIXVIBETOKEN4ZXCV 'a e Malu 'o e Levolo 'o e Laine 'o e PostgreSQL ke fakangatangata 'a e 'alunga 'o e fakamatala. RLS 'I he tu'unga fakalukufua, kapau 'oku 'ikai ke faka'ata 'a e ZXCVFIXVIBETOKEN6ZXCV 'i ha tepile, 'e lava ke ma'u 'e ha taha pe 'oku ne ma'u 'a e kī 'o e Supabase-'a ia 'oku fa'a 'asi fakapule'anga-'a e ngaahi lekooti kotoa pe. API 'I he founga tatau, 'Oku fie ma'u 'e he tanaki'anga 'o e ngaahi tu'utu'uni mahino ke fakamatala'i 'a e kau faka'aonga'i pe ngaahi fatongia 'e lava ke fakahoko 'a e ngaahi ngaue 'i he ngaahi pakete faile. ZXCVFIXVIBETOKEN3ZXCV ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 ## Ko e me'a 'oku ma'u 'e ha taha 'ohofi . ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 'E lava ke faka'aonga'i 'e ha tokotaha 'ohofi 'oku ne ma'u ha kī fakapule'anga ZXCVFIXVIBETOKEN4ZXCV 'a e ngaahi tepile 'oku mole 'a e ZXCVFIXVIBETOKEN3ZXCV ke lau, fakalelei'i, pe tamate'i 'a e fakamatala 'oku 'a e kau faka'aonga'i kehe. Supabase RLS 'E lava ke iku 'a e hū ta'efakangofua ki he ngaahi pakete tauhi'anga koloa ki hono fakahaa'i 'o e ngaahi faile 'o e kau faka'aonga'i fakafo'ituitui pe ko hono tamate'i 'o e ngaahi koloa mahu'inga 'o e polokalama. API ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG13 ## Founga 'oku sivi'i ai 'e he Supabase ki ai ZXCVFIXVIBESEND ZXCVFIKVIPESEG14 'Oku 'ufi'ufi 'e he RLS 'a e me'a ni ko e konga 'o 'ene ngaahi sieke API. Supabase vakai'i 'e he kakai ZXCVFIXVIBETOKEN3ZXCV 'a e metadata 'o e pakete 'o e tanaki'anga koloa, 'ikai fakahaa'i 'a e me'a-lisi 'a e faka'ali'ali, fakahingoa 'o e pakete 'oku ongo'ingofua, mo e ngaahi faka'ilonga 'o e tanaki'anga 'o e anon 'o e kakai mei he ngata'anga 'o e anon 'o e kakai. 'Oku fekau'aki 'a e ngaahi sieke mo'ui 'oku nau sivi'i 'a e faka'ali'ali 'o e kī 'o e sevesi-fatongia, ZXCVFIXVIBETOKEN4ZXCV MĀLOLO/ZXCVFIXVIBETOKEN5ZXCV tu'unga, mo e ngaahi hiki SQL 'o e fale tuku'anga koloa ki he mole 'a e ZXCVFIXVIBETOKEN6ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIPESEG15 ## Ko e ha ke fakalelei'i . ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG16 Faka'ata ma'u pe 'a e Malu 'o e Levolo 'o e Laine 'i he ngaahi tepile 'o e database mo fakahoko 'a e ngaahi tu'utu'uni granular ki he kau faka'aonga'i kuo fakamo'oni'i. Supabase Fakapapau'i 'oku faka'aonga'i pe 'a e kī 'anon' 'i he code 'o e tafa'aki 'o e kalaieni, lolotonga ia 'oku kei 'i he seva 'a e kī 'o e 'service_role'. RLS Configure 'a e Pule'i 'o e 'Alu ki he Tauhi'anga koloa ke fakapapau'i 'oku fakataautaha 'a e ngaahi pakete faile 'i he default pea 'oku foaki 'a e 'alunga 'o fakafou pe 'i he ngaahi tu'utu'uni malu'i kuo faka'uhinga'i. API

This research article outlines critical security configurations for Supabase projects. It focuses on the proper implementation of Row Level Security (RLS) to protect database rows, secure handling of anon and service_role API keys, and enforcing access control for storage buckets to mitigate risks of data exposure and unauthorized access.

CWE-284CWE-668

The hook

Securing a Supabase project requires a multi-layered approach focusing on API key management, database security, and storage permissions. [S1] Improperly configured Row Level Security (RLS) or exposed sensitive keys can lead to significant data exposure incidents. [S2] [S3]

What changed

This research consolidates core security controls for Supabase environments based on official architecture guidelines. [S1] It focuses on the transition from default development configurations to production-hardened postures, specifically regarding access control mechanisms. [S2] [S3]

Who is affected

Applications utilizing Supabase as a Backend-as-a-Service (BaaS) are affected, particularly those that handle user-specific data or private assets. [S2] Developers who include the service_role key in client-side bundles or fail to enable RLS are at high risk. [S1]

How the issue works

Supabase leverages PostgreSQL's Row Level Security to restrict data access. [S2] By default, if RLS is not enabled on a table, any user with the anon key—which is often public—can access all records. [S1] Similarly, Supabase Storage requires explicit policies to define which users or roles can perform operations on file buckets. [S3]

What an attacker gets

An attacker possessing a public API key can exploit tables missing RLS to read, modify, or delete data belonging to other users. [S1] [S2] Unauthorized access to storage buckets can lead to the exposure of private user files or the deletion of critical application assets. [S3]

How FixVibe tests for it

FixVibe now covers this as part of its Supabase checks. baas.supabase-security-checklist-backfill reviews public Supabase Storage bucket metadata, anonymous object-listing exposure, sensitive bucket naming, and anon-bound Storage signals from the public anon boundary. Related live checks inspect service-role key exposure, Supabase REST/RLS posture, and repository SQL migrations for missing RLS.

What to fix

Always enable Row Level Security on database tables and implement granular policies for authenticated users. [S2] Ensure that only the 'anon' key is used in client-side code, while the 'service_role' key remains on the server. [S1] Configure Storage Access Control to ensure that file buckets are private by default and access is granted only through defined security policies. [S3]