Covered by FixVibehigh

通过缺少 Supabase 行级安全性 (RLS) 进行未经授权的数据访问 ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 Supabase 支持的 RLS 应用程序中行级安全性 (ZXCVFIXVIBETOKEN2ZXCV) 缺失或配置错误可能会导致数据库完全暴露。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 在 Supabase 支持的应用程序中，数据安全依赖于行级安全性 (ZXCVFIXVIBETOKEN3ZXCV)。如果 ZXCVFIXVIBETOKEN4ZXCV 未显式启用并配置策略，则任何拥有匿名公钥的用户都可以读取、更新或删除整个数据库中的数据。这在 ZXCVFIXVIBETOKEN2ZXCV 环境中尤其重要，其中 RLS 客户端通常使用公共 ZXCVFIXVIBETOKEN5ZXCV 密钥进行初始化。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影响 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 当公共表通过匿名边界 RLS 暴露时，未能实现行级安全性 (ZXCVFIXVIBETOKEN6ZXCV) 允许未经身份验证的攻击者从 ZXCVFIXVIBETOKEN3ZXCV 数据库查询数据。由于 ZXCVFIXVIBETOKEN5ZXCV 应用程序通常会在客户端代码中公开 ZXCVFIXVIBETOKEN4ZXCV Supabase 密钥，因此攻击者可以使用此密钥对数据库进行直接 REST ZXCVFIXVIBETOKEN7ZXCV 调用，绕过预期的应用程序逻辑并访问敏感用户信息 ZXCVFIXVIBETOKEN2ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 默认情况下，ZXCVFIXVIBETOKEN4ZXCV 中的 Postgres 表需要显式激活行级别安全性以防止公共访问 RLS。当开发人员创建表但忘记启用 ZXCVFIXVIBETOKEN7ZXCV 或未能定义限制性策略时，数据库可能会将数据暴露给拥有项目 Supabase 密钥 ZXCVFIXVIBETOKEN2ZXCV 的任何人。在 ZXCVFIXVIBETOKEN6ZXCV 应用程序中，服务器端渲染和客户端获取也需要仔细的 ZXCVFIXVIBETOKEN5ZXCV 客户端设置，以便经过身份验证的用户上下文到达数据库层 ZXCVFIXVIBETOKEN3ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 ## 具体修复 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 1. 启用ZXCVFIXVIBETOKEN2ZXCV：对每个存储应用数据RLS的公共表执行Supabase。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 2. 定义策略：创建根据用户的身份验证状态限制访问的特定策略，例如 Supabase RLS。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 3. 安全服务器端客户端：使用 RLS 时，将服务角色客户端保留为仅服务器，并在将数据返回给用户 Supabase 之前仍然应用所有权过滤器。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 ## Supabase 如何测试它 ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 ZXCVFIXVIBETOKEN3ZXCV 已通过 Supabase 运行只读 ZXCVFIXVIBETOKEN4ZXCV ZXCVFIXVIBETOKEN6ZXCV 检查。扫描器从同源 JavaScript 包中发现 ZXCVFIXVIBETOKEN5ZXCV 项目 URL 和公共匿名密钥，向 PostgREST 请求公共表元数据，并尝试有限的只读选择以确认数据是否在没有用户会话的情况下公开。它不会插入、更新、删除或使用服务角色凭据。回购扫描还可以通过 RLS 更早地捕获此问题，该 RLS 会标记在没有 ZXCVFIXVIBETOKEN2ZXCV 的情况下创建公共表的 SQL 迁移。

In Supabase-backed applications, data security relies on Row Level Security (RLS). If RLS is not explicitly enabled and configured with policies, any user with the public anonymous key can read, update, or delete data across the entire database. This is particularly critical in Next.js environments where the Supabase client is often initialized with a public API key.

CWE-284

Impact

Failure to implement Row Level Security (RLS) allows unauthenticated attackers to query data from a Supabase database when public tables are exposed through the anon boundary [S1]. Because Next.js applications typically expose the Supabase anon key in client-side code, an attacker can use this key to make direct REST API calls to the database, bypassing the intended application logic and accessing sensitive user information [S2].

Root Cause

By default, Postgres tables in Supabase require explicit activation of Row Level Security to prevent public access [S1]. When a developer creates a table but forgets to enable RLS or fails to define restrictive policies, the database may expose data to anyone possessing the project's anon key [S1]. In Next.js applications, server-side rendering and client-side fetching also require careful Supabase client setup so authenticated user context reaches the database layer [S2].

Concrete Fixes

Enable RLS: Execute ALTER TABLE "your_table_name" ENABLE ROW LEVEL SECURITY; for every public table that stores app data [S1].
Define Policies: Create specific policies that restrict access based on the user's authentication status, such as CREATE POLICY "Users can see their own data" ON your_table_name FOR SELECT USING (auth.uid() = user_id); [S1].
Secure Server-Side Clients: When using Next.js, keep service-role clients server-only and still apply ownership filters before returning data to users [S2].

How FixVibe tests for it

FixVibe already runs a read-only Supabase RLS check through baas.supabase-rls. The scanner discovers the Supabase project URL and public anon key from same-origin JavaScript bundles, asks PostgREST for public table metadata, and attempts limited read-only selects to confirm whether data is exposed without a user session. It does not insert, update, delete, or use service-role credentials. Repo scans can also catch this earlier through repo.supabase.missing-rls, which flags SQL migrations that create public tables without ENABLE ROW LEVEL SECURITY.