supabase-audit-functions

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Edge Functions Audit

Edge Functions 审计

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.
Write to
.sb-pentest-context.json
IMMEDIATELY after each function tested
Log to
.sb-pentest-audit.log
BEFORE and AFTER each function test
DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.

This skill discovers and tests Supabase Edge Functions for security issues.

🔴 关键要求：需逐步更新文件

你必须逐步写入上下文文件，而不是仅在最后统一写入。
每次测试完一个函数后，立即写入
.sb-pentest-context.json
在每次函数测试前后，都要记录到
.sb-pentest-audit.log
禁止等到技能完成后再更新文件

如果技能崩溃或被中断，所有已有的检测结果必须已保存
这不是可选要求。不逐步写入文件属于严重错误。

本技能用于发现并测试Supabase Edge Functions的安全问题。

When to Use This Skill

适用场景

To discover exposed Edge Functions
To test function authentication requirements
To check for input validation issues
As part of comprehensive security audit

发现暴露的Edge Functions
测试函数的身份验证要求
检查输入验证问题
作为全面安全审计的一部分

Prerequisites

前置条件

Supabase URL available
Detection completed

已获取Supabase URL
已完成检测步骤

Understanding Edge Functions

了解Edge Functions

Supabase Edge Functions are Deno-based serverless functions:

https://[project].supabase.co/functions/v1/[function-name]

Security Aspect	Consideration
Authentication	Functions can require JWT or be public
CORS	Cross-origin access control
Input Validation	User input handling
Secrets	Environment variable exposure

Supabase Edge Functions是基于Deno的无服务器函数：

https://[project].supabase.co/functions/v1/[function-name]

安全维度	考量点
身份验证	函数可能需要JWT或设为公开访问
CORS	跨源访问控制
输入验证	用户输入的处理方式
密钥	环境变量是否泄露

Tests Performed

执行的测试

Test	Purpose
Function discovery	Find exposed functions
Auth requirements	Check if JWT required
Input validation	Test for injection
Error handling	Check for information disclosure

测试项	测试目的
函数发现	找出暴露的函数
身份验证要求	检查是否需要JWT
输入验证	测试注入风险
错误处理	检查是否存在信息泄露

Usage

使用方法

Basic Function Audit

基础函数审计

Audit Edge Functions on my Supabase project

Audit Edge Functions on my Supabase project

Test Specific Function

测试特定函数

Test the process-payment Edge Function for security issues

Test the process-payment Edge Function for security issues

Output Format

输出格式

═══════════════════════════════════════════════════════════
 EDGE FUNCTIONS AUDIT
═══════════════════════════════════════════════════════════

 Project: abc123def.supabase.co
 Endpoint: https://abc123def.supabase.co/functions/v1/

 ─────────────────────────────────────────────────────────
 Function Discovery
 ─────────────────────────────────────────────────────────

 Discovery Method: Common name enumeration + client code analysis

 Functions Found: 5

 ─────────────────────────────────────────────────────────
 1. hello-world
 ─────────────────────────────────────────────────────────

 Endpoint: /functions/v1/hello-world
 Method: GET, POST

 Authentication Test:
 ├── Without JWT: ✅ 200 OK
 └── Status: ℹ️ Public function (no auth required)

 Response:
 ```json
 {"message": "Hello, World!"}

Assessment: ✅ APPROPRIATE Simple public endpoint, no sensitive operations.

───────────────────────────────────────────────────────── 2. process-payment ─────────────────────────────────────────────────────────

Endpoint: /functions/v1/process-payment Method: POST

Authentication Test: ├── Without JWT: ❌ 401 Unauthorized ├── With valid JWT: ✅ 200 OK └── Status: ✅ Authentication required

Input Validation Test: ├── Missing amount: ❌ 400 Bad Request (good) ├── Negative amount: ❌ 400 Bad Request (good) ├── String amount: ❌ 400 Bad Request (good) └── Valid input: ✅ 200 OK

Error Response Test: ├── Error format: Generic message (good) └── Stack trace: ❌ Not exposed (good)

Assessment: ✅ PROPERLY SECURED Requires auth, validates input, safe error handling.

───────────────────────────────────────────────────────── 3. get-user-data ─────────────────────────────────────────────────────────

Endpoint: /functions/v1/get-user-data Method: GET

Authentication Test: ├── Without JWT: ❌ 401 Unauthorized └── Status: ✅ Authentication required

Authorization Test: ├── Request own data: ✅ 200 OK ├── Request other user's data: ✅ 200 OK ← 🔴 P0! └── Status: 🔴 BROKEN ACCESS CONTROL

Test:

bash

# As user A, request user B's data
curl https://abc123def.supabase.co/functions/v1/get-user-data?user_id=user-b-id \
  -H "Authorization: Bearer [user-a-token]"

# Returns user B's data!

Finding: 🔴 P0 - IDOR VULNERABILITY Function accepts user_id parameter without verifying that the authenticated user is requesting their own data.

Fix:

typescript

// In Edge Function
const { user_id } = await req.json();
const jwt_user = getUser(req); // From JWT

// Verify ownership
if (user_id !== jwt_user.id) {
  return new Response('Forbidden', { status: 403 });
}

───────────────────────────────────────────────────────── 4. admin-panel ─────────────────────────────────────────────────────────

Endpoint: /functions/v1/admin-panel Method: GET, POST

Authentication Test: ├── Without JWT: ❌ 401 Unauthorized ├── With regular user JWT: ✅ 200 OK ← 🔴 P0! └── Status: 🔴 MISSING ROLE CHECK

Finding: 🔴 P0 - PRIVILEGE ESCALATION Admin function accessible to any authenticated user. No role verification in function code.

Fix:

typescript

// Verify admin role
const user = getUser(req);
const { data: profile } = await supabase
  .from('profiles')
  .select('is_admin')
  .eq('id', user.id)
  .single();

if (!profile?.is_admin) {
  return new Response('Forbidden', { status: 403 });
}

───────────────────────────────────────────────────────── 5. webhook-handler ─────────────────────────────────────────────────────────

Endpoint: /functions/v1/webhook-handler Method: POST

Authentication Test: ├── Without JWT: ✅ 200 OK (expected for webhooks) └── Status: ℹ️ Public (webhook endpoints are typically public)

Webhook Security Test: ├── Signature validation: ⚠️ Unable to test (need valid signature) └── Rate limiting: Unknown

Error Response Test:

json

{
  "error": "Invalid signature",
  "expected": "sha256=abc123...",
  "received": "sha256=xyz789..."
}

Finding: 🟠 P1 - INFORMATION DISCLOSURE Error response reveals expected signature format. Could help attacker understand validation mechanism.

Fix:

typescript

// Generic error, log details server-side
if (!validSignature) {
  console.error(`Invalid signature: expected ${expected}, got ${received}`);
  return new Response('Unauthorized', { status: 401 });
}

───────────────────────────────────────────────────────── Summary ─────────────────────────────────────────────────────────

Functions Found: 5

Security Assessment: ├── ✅ Secure: 2 (hello-world, process-payment) ├── 🔴 P0: 2 (get-user-data IDOR, admin-panel privilege escalation) └── 🟠 P1: 1 (webhook-handler info disclosure)

Critical Findings:

IDOR in get-user-data - any user can access any user's data
Missing role check in admin-panel - any user is admin

Priority Actions:

Fix get-user-data to verify user owns requested data
Add admin role verification to admin-panel
Fix webhook-handler error messages

═══════════════════════════════════════════════════════════

undefined

═══════════════════════════════════════════════════════════
 EDGE FUNCTIONS 审计
═══════════════════════════════════════════════════════════

 项目: abc123def.supabase.co
 端点: https://abc123def.supabase.co/functions/v1/

 ─────────────────────────────────────────────────────────
 函数发现
 ─────────────────────────────────────────────────────────

 发现方式: 通用名称枚举 + 客户端代码分析

 已发现函数: 5个

 ─────────────────────────────────────────────────────────
 1. hello-world
 ─────────────────────────────────────────────────────────

 端点: /functions/v1/hello-world
 请求方法: GET, POST

 身份验证测试:
 ├── 无JWT: ✅ 200 OK
 └── 状态: ℹ️ 公开函数（无需身份验证）

 响应:
 ```json
 {"message": "Hello, World!"}

评估: ✅ 符合安全要求简单的公开端点，无敏感操作。

端点: /functions/v1/process-payment 请求方法: POST

身份验证测试: ├── 无JWT: ❌ 401 Unauthorized ├── 有效JWT: ✅ 200 OK └── 状态: ✅ 需身份验证

输入验证测试: ├── 缺少金额参数: ❌ 400 Bad Request（符合要求） ├── 金额为负数: ❌ 400 Bad Request（符合要求） ├── 金额为字符串: ❌ 400 Bad Request（符合要求） └── 有效输入: ✅ 200 OK

错误响应测试: ├── 错误格式: 通用提示信息（符合要求） └── 堆栈跟踪: ❌ 未暴露（符合要求）

评估: ✅ 安全配置正确需身份验证、验证输入、错误处理安全。

端点: /functions/v1/get-user-data 请求方法: GET

身份验证测试: ├── 无JWT: ❌ 401 Unauthorized └── 状态: ✅ 需身份验证

授权测试: ├── 请求自身数据: ✅ 200 OK ├── 请求其他用户数据: ✅ 200 OK ← 🔴 P0级漏洞! └── 状态: 🔴 访问控制失效

测试命令:

bash

# 以用户A的身份，请求用户B的数据
curl https://abc123def.supabase.co/functions/v1/get-user-data?user_id=user-b-id \
  -H "Authorization: Bearer [user-a-token]"

# 返回了用户B的数据!

检测结果: 🔴 P0 - IDOR漏洞函数接受user_id参数，但未验证已认证用户是否在请求自身数据。

修复方案:

typescript

// 在Edge Function中
const { user_id } = await req.json();
const jwt_user = getUser(req); // 从JWT获取

// 验证所有权
if (user_id !== jwt_user.id) {
  return new Response('Forbidden', { status: 403 });
}

端点: /functions/v1/admin-panel 请求方法: GET, POST

身份验证测试: ├── 无JWT: ❌ 401 Unauthorized ├── 普通用户JWT: ✅ 200 OK ← 🔴 P0级漏洞! └── 状态: 🔴 缺少角色校验

检测结果: 🔴 P0 - 权限提升漏洞管理员函数可被任何已认证用户访问。函数代码中无角色验证逻辑。

修复方案:

typescript

// 验证管理员角色
const user = getUser(req);
const { data: profile } = await supabase
  .from('profiles')
  .select('is_admin')
  .eq('id', user.id)
  .single();

if (!profile?.is_admin) {
  return new Response('Forbidden', { status: 403 });
}

端点: /functions/v1/webhook-handler 请求方法: POST

身份验证测试: ├── 无JWT: ✅ 200 OK（符合Webhook的常规设置） └── 状态: ℹ️ 公开访问（Webhook端点通常设为公开）

Webhook安全测试: ├── 签名验证: ⚠️ 无法测试（需要有效签名） └── 速率限制: 未知

错误响应示例:

json

{
  "error": "Invalid signature",
  "expected": "sha256=abc123...",
  "received": "sha256=xyz789..."
}

检测结果: 🟠 P1 - 信息泄露错误响应暴露了预期的签名格式，可能帮助攻击者理解验证机制。

修复方案:

typescript

// 返回通用错误，详细信息仅在服务器端记录
if (!validSignature) {
  console.error(`Invalid signature: expected ${expected}, got ${received}`);
  return new Response('Unauthorized', { status: 401 });
}

───────────────────────────────────────────────────────── 总结 ─────────────────────────────────────────────────────────

已发现函数: 5个

安全评估: ├── ✅ 安全: 2个（hello-world, process-payment） ├── 🔴 P0级: 2个（get-user-data的IDOR漏洞, admin-panel的权限提升漏洞） └── 🟠 P1级: 1个（webhook-handler的信息泄露）

严重检测结果:

get-user-data存在IDOR漏洞 - 任何用户都可访问其他用户的数据
admin-panel缺少角色校验 - 任何用户都可获得管理员权限

优先修复项:

修复get-user-data，验证请求用户是否拥有对应数据
为admin-panel添加管理员角色验证
修复webhook-handler的错误提示信息

═══════════════════════════════════════════════════════════

undefined

Common Function Vulnerabilities

常见函数漏洞

Vulnerability	Description	Severity
No auth	Function accessible without JWT	P0-P2
IDOR	User can access other users' data	P0
Missing role check	Regular user accesses admin functions	P0
Input injection	User input not validated	P0-P1
Info disclosure	Errors reveal internal details	P1-P2
CORS misconfigured	Accessible from unintended origins	P1-P2

漏洞类型	描述	严重等级
无身份验证	函数无需JWT即可访问	P0-P2
IDOR	用户可访问其他用户的数据	P0
缺少角色校验	普通用户可访问管理员函数	P0
输入注入	用户输入未验证	P0-P1
信息泄露	错误信息暴露内部细节	P1-P2
CORS配置错误	可被未授权源访问	P1-P2

Function Discovery Methods

函数发现方法

1. Client Code Analysis

1. 客户端代码分析

javascript

// Look for function invocations in client code
supabase.functions.invoke('function-name', {...})
fetch('/functions/v1/function-name', {...})

javascript

// 在客户端代码中查找函数调用
supabase.functions.invoke('function-name', {...})
fetch('/functions/v1/function-name', {...})

2. Common Name Enumeration

2. 通用名称枚举

Tested function names:

hello-world, hello, test
process-payment, payment, checkout
get-user-data, user, profile
admin, admin-panel, dashboard
webhook, webhook-handler, stripe-webhook
send-email, notify, notification

测试的函数名称包括:

hello-world, hello, test
process-payment, payment, checkout
get-user-data, user, profile
admin, admin-panel, dashboard
webhook, webhook-handler, stripe-webhook
send-email, notify, notification

3. Error Response Analysis

3. 错误响应分析

404 Not Found → Function doesn't exist
401 Unauthorized → Function exists, needs auth
200 OK → Function exists, accessible

404 Not Found → 函数不存在
401 Unauthorized → 函数存在，需身份验证
200 OK → 函数存在，可访问

Context Output

上下文输出格式

json

{
  "functions_audit": {
    "timestamp": "2025-01-31T14:30:00Z",
    "functions_found": 5,
    "findings": [
      {
        "function": "get-user-data",
        "severity": "P0",
        "vulnerability": "IDOR",
        "description": "Any authenticated user can access any user's data",
        "remediation": "Verify user owns requested resource"
      },
      {
        "function": "admin-panel",
        "severity": "P0",
        "vulnerability": "Privilege Escalation",
        "description": "No role check, any authenticated user is admin",
        "remediation": "Add admin role verification"
      }
    ]
  }
}

json

{
  "functions_audit": {
    "timestamp": "2025-01-31T14:30:00Z",
    "functions_found": 5,
    "findings": [
      {
        "function": "get-user-data",
        "severity": "P0",
        "vulnerability": "IDOR",
        "description": "Any authenticated user can access any user's data",
        "remediation": "Verify user owns requested resource"
      },
      {
        "function": "admin-panel",
        "severity": "P0",
        "vulnerability": "Privilege Escalation",
        "description": "No role check, any authenticated user is admin",
        "remediation": "Add admin role verification"
      }
    ]
  }
}

Secure Function Patterns

安全函数编写规范

Authentication Check

身份验证校验

typescript

import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // Get JWT from header
  const authHeader = req.headers.get('Authorization');
  if (!authHeader) {
    return new Response('Unauthorized', { status: 401 });
  }

  // Verify JWT with Supabase
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL')!,
    Deno.env.get('SUPABASE_ANON_KEY')!,
    { global: { headers: { Authorization: authHeader } } }
  );

  const { data: { user }, error } = await supabase.auth.getUser();
  if (error || !user) {
    return new Response('Unauthorized', { status: 401 });
  }

  // User is authenticated
  // ...
});

typescript

import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // 从请求头获取JWT
  const authHeader = req.headers.get('Authorization');
  if (!authHeader) {
    return new Response('Unauthorized', { status: 401 });
  }

  // 使用Supabase验证JWT
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL')!,
    Deno.env.get('SUPABASE_ANON_KEY')!,
    { global: { headers: { Authorization: authHeader } } }
  );

  const { data: { user }, error } = await supabase.auth.getUser();
  if (error || !user) {
    return new Response('Unauthorized', { status: 401 });
  }

  // 用户已通过身份验证
  // ...
});

Authorization Check (IDOR Prevention)

授权校验（防止IDOR）

typescript

// For user-specific resources
const requestedUserId = body.user_id;
const authenticatedUserId = user.id;

if (requestedUserId !== authenticatedUserId) {
  return new Response('Forbidden', { status: 403 });
}

typescript

// 针对用户专属资源
const requestedUserId = body.user_id;
const authenticatedUserId = user.id;

if (requestedUserId !== authenticatedUserId) {
  return new Response('Forbidden', { status: 403 });
}

Role Check (Admin)

角色校验（管理员）

typescript

// Check admin role
const { data: profile } = await supabase
  .from('profiles')
  .select('role')
  .eq('id', user.id)
  .single();

if (profile?.role !== 'admin') {
  return new Response('Forbidden', { status: 403 });
}

typescript

// 检查管理员角色
const { data: profile } = await supabase
  .from('profiles')
  .select('role')
  .eq('id', user.id)
  .single();

if (profile?.role !== 'admin') {
  return new Response('Forbidden', { status: 403 });
}

Input Validation

输入验证

typescript

import { z } from 'zod';

const PaymentSchema = z.object({
  amount: z.number().positive().max(10000),
  currency: z.enum(['usd', 'eur', 'gbp']),
  description: z.string().max(200).optional()
});

// Validate input
const result = PaymentSchema.safeParse(body);
if (!result.success) {
  return new Response(
    JSON.stringify({ error: 'Invalid input' }),
    { status: 400 }
  );
}

typescript

import { z } from 'zod';

const PaymentSchema = z.object({
  amount: z.number().positive().max(10000),
  currency: z.enum(['usd', 'eur', 'gbp']),
  description: z.string().max(200).optional()
});

// 验证输入
const result = PaymentSchema.safeParse(body);
if (!result.success) {
  return new Response(
    JSON.stringify({ error: 'Invalid input' }),
    { status: 400 }
  );
}

MANDATORY: Progressive Context File Updates

强制要求：逐步更新上下文文件

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

⚠️ 本技能必须在执行过程中逐步更新跟踪文件，而非仅在最后统一更新。

Critical Rule: Write As You Go

核心规则：边执行边写入

DO NOT batch all writes at the end. Instead:

Before testing each function → Log the action to
```
.sb-pentest-audit.log
```
After each vulnerability found → Immediately update
```
.sb-pentest-context.json
```
After each function test completes → Log the result immediately

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

禁止批量写入所有内容。正确的做法是：

测试每个函数前 → 将操作记录到
```
.sb-pentest-audit.log
```
发现每个漏洞后 → 立即更新
```
.sb-pentest-context.json
```
每个函数测试完成后 → 立即记录测试结果

这样可确保如果技能被中断、崩溃或超时，所有已完成的检测结果都已保存。

Required Actions (Progressive)

需执行的逐步操作

Update
.sb-pentest-context.json
with results:

json

{
  "functions_audit": {
    "timestamp": "...",
    "functions_found": 5,
    "findings": [ ... ]
  }
}

Log to
.sb-pentest-audit.log
:

[TIMESTAMP] [supabase-audit-functions] [START] Auditing Edge Functions
[TIMESTAMP] [supabase-audit-functions] [FINDING] P0: IDOR in get-user-data
[TIMESTAMP] [supabase-audit-functions] [CONTEXT_UPDATED] .sb-pentest-context.json updated

If files don't exist, create them before writing.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

更新
.sb-pentest-context.json
记录结果：

json

{
  "functions_audit": {
    "timestamp": "...",
    "functions_found": 5,
    "findings": [ ... ]
  }
}

记录到
.sb-pentest-audit.log
：

[TIMESTAMP] [supabase-audit-functions] [START] 开始审计Edge Functions
[TIMESTAMP] [supabase-audit-functions] [FINDING] P0: get-user-data存在IDOR漏洞
[TIMESTAMP] [supabase-audit-functions] [CONTEXT_UPDATED] 已更新.sb-pentest-context.json

如果文件不存在，在写入前先创建。

不更新上下文文件的行为是不被允许的。

MANDATORY: Evidence Collection

强制要求：收集证据

📁 Evidence Directory:

.sb-pentest-evidence/07-functions-audit/

📁 证据目录：

.sb-pentest-evidence/07-functions-audit/

Evidence Files to Create

需创建的证据文件

File	Content
`discovered-functions.json`	List of discovered Edge Functions
`function-tests/[name].json`	Test results per function

文件	内容
`discovered-functions.json`	已发现的Edge Functions列表
`function-tests/[name].json`	每个函数的测试结果

Evidence Format (IDOR Vulnerability)

IDOR漏洞证据格式

json

{
  "evidence_id": "FN-001",
  "timestamp": "2025-01-31T11:10:00Z",
  "category": "functions-audit",
  "type": "idor_vulnerability",
  "severity": "P0",

  "function": "get-user-data",
  "endpoint": "https://abc123def.supabase.co/functions/v1/get-user-data",

  "tests": [
    {
      "test_name": "auth_required",
      "request": {
        "method": "GET",
        "headers": {},
        "curl_command": "curl '$URL/functions/v1/get-user-data'"
      },
      "response": {"status": 401},
      "result": "PASS"
    },
    {
      "test_name": "idor_test",
      "description": "As user A, request user B's data",
      "request": {
        "method": "GET",
        "url": "$URL/functions/v1/get-user-data?user_id=user-b-id",
        "headers": {"Authorization": "Bearer [USER_A_TOKEN]"},
        "curl_command": "curl '$URL/functions/v1/get-user-data?user_id=user-b-id' -H 'Authorization: Bearer [USER_A_TOKEN]'"
      },
      "response": {
        "status": 200,
        "body": {"id": "user-b-id", "email": "[REDACTED]", "data": "[REDACTED]"}
      },
      "result": "VULNERABLE",
      "impact": "Any authenticated user can access any other user's data"
    }
  ],

  "remediation": "Add ownership check: if (user_id !== jwt_user.id) return 403"
}

json

{
  "evidence_id": "FN-001",
  "timestamp": "2025-01-31T11:10:00Z",
  "category": "functions-audit",
  "type": "idor_vulnerability",
  "severity": "P0",

  "function": "get-user-data",
  "endpoint": "https://abc123def.supabase.co/functions/v1/get-user-data",

  "tests": [
    {
      "test_name": "auth_required",
      "request": {
        "method": "GET",
        "headers": {},
        "curl_command": "curl '$URL/functions/v1/get-user-data'"
      },
      "response": {"status": 401},
      "result": "PASS"
    },
    {
      "test_name": "idor_test",
      "description": "以用户A的身份请求用户B的数据",
      "request": {
        "method": "GET",
        "url": "$URL/functions/v1/get-user-data?user_id=user-b-id",
        "headers": {"Authorization": "Bearer [USER_A_TOKEN]"},
        "curl_command": "curl '$URL/functions/v1/get-user-data?user_id=user-b-id' -H 'Authorization: Bearer [USER_A_TOKEN]'"
      },
      "response": {
        "status": 200,
        "body": {"id": "user-b-id", "email": "[REDACTED]", "data": "[REDACTED]"}
      },
      "result": "VULNERABLE",
      "impact": "任何已认证用户都可访问其他用户的数据"
    }
  ],

  "remediation": "添加所有权校验：if (user_id !== jwt_user.id) return 403"
}

Evidence Format (Privilege Escalation)

权限提升漏洞证据格式

json

{
  "evidence_id": "FN-002",
  "timestamp": "2025-01-31T11:15:00Z",
  "category": "functions-audit",
  "type": "privilege_escalation",
  "severity": "P0",

  "function": "admin-panel",

  "test": {
    "description": "Regular user accessing admin function",
    "request": {
      "method": "GET",
      "headers": {"Authorization": "Bearer [REGULAR_USER_TOKEN]"},
      "curl_command": "curl '$URL/functions/v1/admin-panel' -H 'Authorization: Bearer [REGULAR_USER_TOKEN]'"
    },
    "response": {
      "status": 200,
      "body": {"admin_data": "[REDACTED]"}
    },
    "result": "VULNERABLE",
    "impact": "Any authenticated user has admin access"
  }
}

json

{
  "evidence_id": "FN-002",
  "timestamp": "2025-01-31T11:15:00Z",
  "category": "functions-audit",
  "type": "privilege_escalation",
  "severity": "P0",

  "function": "admin-panel",

  "test": {
    "description": "普通用户访问管理员函数",
    "request": {
      "method": "GET",
      "headers": {"Authorization": "Bearer [REGULAR_USER_TOKEN]"},
      "curl_command": "curl '$URL/functions/v1/admin-panel' -H 'Authorization: Bearer [REGULAR_USER_TOKEN]'"
    },
    "response": {
      "status": 200,
      "body": {"admin_data": "[REDACTED]"}
    },
    "result": "VULNERABLE",
    "impact": "任何已认证用户都可获得管理员权限"
  }
}

supabase-audit-functions

Original

Translation

Edge Functions Audit

Edge Functions 审计

When to Use This Skill

适用场景

Prerequisites

前置条件

Understanding Edge Functions

了解Edge Functions

Tests Performed

执行的测试

Usage

使用方法

Basic Function Audit

基础函数审计

Test Specific Function

测试特定函数

Output Format

输出格式

Common Function Vulnerabilities

常见函数漏洞

Function Discovery Methods

函数发现方法

1. Client Code Analysis

1. 客户端代码分析

2. Common Name Enumeration

2. 通用名称枚举

3. Error Response Analysis

3. 错误响应分析

Context Output

上下文输出格式

Secure Function Patterns

安全函数编写规范

Authentication Check

身份验证校验

Authorization Check (IDOR Prevention)

授权校验（防止IDOR）

Role Check (Admin)

角色校验（管理员）

Input Validation

输入验证

MANDATORY: Progressive Context File Updates

强制要求：逐步更新上下文文件

Critical Rule: Write As You Go

核心规则：边执行边写入

Required Actions (Progressive)

需执行的逐步操作

MANDATORY: Evidence Collection

强制要求：收集证据

Evidence Files to Create

需创建的证据文件

Evidence Format (IDOR Vulnerability)

IDOR漏洞证据格式

Evidence Format (Privilege Escalation)

权限提升漏洞证据格式

Related Skills

相关技能