Back to Details

supabase-report

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Report Generator

安全审计报告生成器

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
  • Write to 
    .sb-pentest-audit.log
    IMMEDIATELY as you process each section
  • Update 
    .sb-pentest-context.json
    with report metadata progressively
  • DO NOT wait until the entire report is generated to update files
  • If the skill crashes or is interrupted, the partial progress must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill generates a comprehensive Markdown security audit report from all collected findings.
🔴 关键要求:需逐步更新文件
你必须逐步写入上下文文件,而不是仅在最后一次性写入。
  • 处理每个部分后立即写入
    .sb-pentest-audit.log
  • 逐步更新
    .sb-pentest-context.json
    中的报告元数据
  • 不要等到整个报告生成后再更新文件
  • 如果技能崩溃或被中断,部分进度必须已保存
此要求为强制项。不逐步写入属于严重错误。
本技能可根据所有收集到的调查结果生成全面的Markdown安全审计报告。

When to Use This Skill

使用场景

  • After completing security audit phases
  • To document findings for stakeholders
  • To create actionable remediation plans
  • For compliance and audit trail purposes
  • 完成安全审计阶段后
  • 为利益相关者记录调查结果
  • 创建可执行的修复计划
  • 用于合规性和审计跟踪目的

Prerequisites

前置条件

  • Audit phases completed (context file populated)
  • Findings collected in 
    .sb-pentest-context.json
  • 已完成审计阶段(上下文文件已填充)
  • 调查结果已收集在
    .sb-pentest-context.json

Report Structure

报告结构

The generated report includes:
  1. Executive Summary — High-level overview for management
  2. Security Score — Quantified risk assessment
  3. Critical Findings (P0) — Immediate action required
  4. High Findings (P1) — Address soon
  5. Medium Findings (P2) — Plan to address
  6. Detailed Analysis — Per-component breakdown
  7. Remediation Plan — Prioritized action items
  8. Appendix — Technical details, methodology
生成的报告包含:
  1. 执行摘要 — 面向管理层的高层概述
  2. 安全评分 — 量化的风险评估
  3. 严重级调查结果(P0) — 需立即处理
  4. 高风险调查结果(P1) — 需尽快处理
  5. 中风险调查结果(P2) — 计划处理
  6. 详细分析 — 按组件细分
  7. 修复计划 — 按优先级排序的行动项
  8. 附录 — 技术细节、方法论

Usage

使用方法

Generate Report

生成报告

Generate security report from audit findings
Generate security report from audit findings

Custom Report Name

自定义报告名称

Generate report as security-audit-2025-01.md
Generate report as security-audit-2025-01.md

Specific Sections

生成指定部分

Generate executive summary only
Generate executive summary only

Output Format

输出格式

The skill generates 
supabase-audit-report.md
:
markdown
undefined
本技能会生成
supabase-audit-report.md
markdown
undefined

Supabase Security Audit Report

Supabase安全审计报告

Target: https://myapp.example.com Project: abc123def.supabase.co Date: January 31, 2025 Auditor: Internal Security Team
目标地址: https://myapp.example.com 项目: abc123def.supabase.co 日期: 2025年1月31日 审计方: 内部安全团队

Executive Summary

执行摘要

Overview

概述

This security audit identified 12 vulnerabilities across the Supabase implementation, including 3 critical (P0) issues requiring immediate attention.
本次安全审计在Supabase实现中发现了12个漏洞,其中包括**3个严重级(P0)**问题,需立即处理。

Key Findings

关键调查结果

SeverityCountStatus
🔴 P0 (Critical)3Immediate action required
🟠 P1 (High)4Address within 7 days
🟡 P2 (Medium)5Address within 30 days
严重级别数量处理状态
🔴 P0(严重)3需立即处理
🟠 P1(高风险)47天内处理
🟡 P2(中风险)530天内处理

Security Score

安全评分

Score: 35/100 (Grade: D)
The application has significant security gaps that expose user data and allow privilege escalation. Critical issues must be addressed before the application can be considered secure.
评分: 35/100(等级: D)
该应用存在重大安全漏洞,可能导致用户数据泄露和权限提升。在解决严重级问题前,应用无法被视为安全。

Most Critical Issues

最严重问题

  1. Service Role Key Exposed — Full database access possible
  2. Database Backups Public — All data downloadable
  3. Admin Function No Auth — Any user can access admin features
  1. Service Role密钥暴露 — 可获取数据库完全访问权限
  2. 数据库备份公开 — 所有数据可被下载
  3. 管理员功能无认证 — 任何用户均可访问管理员功能

Recommended Actions

建议行动

  1. Immediate (Today):
    • Rotate service role key
    • Make backup bucket private
    • Add admin role verification
  2. 🔜 This Week:
    • Enable RLS on all tables
    • Enable email confirmation
    • Fix IDOR in Edge Functions
  3. 📅 This Month:
    • Strengthen password policy
    • Restrict CORS origins
    • Add rate limiting to functions
  1. 立即(今日):
    • 轮换Service Role密钥
    • 将备份存储桶设为私有
    • 添加管理员角色验证
  2. 🔜 本周内:
    • 为所有表启用RLS
    • 启用邮箱确认功能
    • 修复Edge Functions中的IDOR问题
  3. 📅 本月内:
    • 强化密码策略
    • 限制CORS源
    • 为函数添加速率限制

Critical Findings (P0)

严重级调查结果(P0)

P0-001: Service Role Key Exposed in Client Code

P0-001: 客户端代码中暴露Service Role密钥

Severity: 🔴 Critical Component: Key Management CVSS: 9.8 (Critical)
严重级别: 🔴 严重 组件: 密钥管理 CVSS: 9.8(严重)

Description

描述

The Supabase service_role key was found in client-side JavaScript code. This key bypasses all Row Level Security policies and provides full database access.
在客户端JavaScript代码中发现了Supabase的service_role密钥。此密钥可绕过所有Row Level Security(RLS)策略,获得数据库的完全访问权限。

Location

位置

File: /static/js/admin.chunk.js
Line: 89
Code: const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiI...'
File: /static/js/admin.chunk.js
Line: 89
Code: const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiI...'

Impact

影响

  • Full read/write access to all database tables
  • Bypass of all RLS policies
  • Access to auth.users table (all user data)
  • Ability to delete or modify any data
  • 对所有数据库表拥有完全读写权限
  • 绕过所有RLS策略
  • 可访问auth.users表(所有用户数据)
  • 可删除或修改任意数据

Proof of Concept

验证步骤

bash
curl 'https://abc123def.supabase.co/rest/v1/users' \
  -H 'apikey: [service_role_key]' \
  -H 'Authorization: Bearer [service_role_key]'
bash
curl 'https://abc123def.supabase.co/rest/v1/users' \
  -H 'apikey: [service_role_key]' \
  -H 'Authorization: Bearer [service_role_key]'

Returns ALL users with full data

返回所有用户的完整数据

undefined
undefined

Remediation

修复方案

Immediate:
  1. Rotate the service role key in Supabase Dashboard
    • Settings → API → Regenerate service_role key
  2. Remove the key from client code
  3. Redeploy the application
Long-term:
typescript
// Move privileged operations to Edge Functions
// supabase/functions/admin-action/index.ts

import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // Service key only on server
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL')!,
    Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
  )

  // Verify caller is admin before proceeding
  // ...
})
Documentation:
立即执行:
  1. 在Supabase控制台中轮换Service Role密钥
    • 设置 → API → 重新生成service_role密钥
  2. 从客户端代码中移除该密钥
  3. 重新部署应用
长期方案:
typescript
// 将特权操作迁移至Edge Functions
// supabase/functions/admin-action/index.ts

import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // Service密钥仅存储在服务器端
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL')!,
    Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
  )

  // 先验证调用者是否为管理员
  // ...
})
参考文档:

P0-002: Database Backups Publicly Accessible

P0-002: 数据库备份可公开访问

Severity: 🔴 Critical Component: Storage CVSS: 9.1 (Critical)
严重级别: 🔴 严重 组件: 存储 CVSS: 9.1(严重)

Description

描述

The storage bucket named "backups" is configured as public, exposing database dumps, user exports, and environment secrets.
名为"backups"的存储桶被配置为公开,导致数据库备份、用户导出数据和环境密钥暴露。

Exposed Files

暴露文件

FileSizeContent
db-backup-2025-01-30.sql125MBFull database dump
users-export.csv2.3MBAll user data with PII
secrets.env1KBAPI keys and passwords
文件大小内容
db-backup-2025-01-30.sql125MB完整数据库备份
users-export.csv2.3MB包含PII的所有用户数据
secrets.env1KBAPI密钥和密码

Impact

影响

  • Complete data breach (all database content)
  • Exposed credentials for third-party services
  • User PII exposed (emails, names, etc.)
  • 数据完全泄露(所有数据库内容)
  • 第三方服务凭证暴露
  • 用户PII(邮箱、姓名等)暴露

Remediation

修复方案

Immediate:
sql
-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';

-- Delete or move files
-- Consider incident response procedures
Credential Rotation:
  • Stripe API keys
  • Database password
  • JWT secret
  • Any other keys in secrets.env
立即执行:
sql
-- 将存储桶设为私有
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';

-- 删除或转移文件
-- 考虑启动事件响应流程
凭证轮换:
  • Stripe API密钥
  • 数据库密码
  • JWT密钥
  • secrets.env中的其他所有密钥

P0-003: Admin Edge Function Privilege Escalation

P0-003: 管理员Edge Functions权限提升

Severity: 🔴 Critical Component: Edge Functions CVSS: 8.8 (High)
严重级别: 🔴 严重 组件: Edge Functions CVSS: 8.8(高风险)

Description

描述

The 
/functions/v1/admin-panel
Edge Function is accessible to any authenticated user without role verification.
[... additional P0 findings ...]
/functions/v1/admin-panel
Edge Functions可被任何已认证用户访问,无需角色验证。
[... 其他P0调查结果 ...]

High Findings (P1)

高风险调查结果(P1)

P1-001: Email Confirmation Disabled

P1-001: 邮箱确认功能已禁用

Severity: 🟠 High Component: Authentication
[... P1 findings ...]
严重级别: 🟠 高风险 组件: 认证
[... P1调查结果 ...]

Medium Findings (P2)

中风险调查结果(P2)

P2-001: Weak Password Policy

P2-001: 密码策略薄弱

Severity: 🟡 Medium Component: Authentication
[... P2 findings ...]
严重级别: 🟡 中风险 组件: 认证
[... P2调查结果 ...]

Detailed Analysis by Component

按组件细分的详细分析

API Security

API安全

TableRLSAccess LevelStatus
usersFull read🔴 P0
ordersNone
postsPublished only
表名RLS启用状态访问级别状态
users完全可读🔴 P0
orders无访问权限
posts仅已发布内容

Storage Security

存储安全

BucketPublicSensitive FilesStatus
avatarsYesNo
backupsYesYes (45 files)🔴 P0
存储桶公开状态包含敏感文件状态
avatars
backups是(45个文件)🔴 P0

Authentication

认证安全

SettingCurrentRecommendedStatus
Email confirmDisabledEnabled🟠 P1
Password min68+🟡 P2
设置项当前状态推荐状态状态
邮箱确认已禁用启用🟠 P1
最小密码长度68+🟡 P2

Remediation Plan

修复计划

Phase 1: Critical (Immediate)

阶段1: 严重级(立即执行)

IDActionOwnerDeadline
P0-001Rotate service keyDevOpsToday
P0-002Make backups privateDevOpsToday
P0-003Add admin role checkBackendToday
ID行动项负责人截止日期
P0-001轮换Service密钥DevOps今日
P0-002将备份存储桶设为私有DevOps今日
P0-003添加管理员角色校验后端团队今日

Phase 2: High Priority (This Week)

阶段2: 高优先级(本周内)

IDActionOwnerDeadline
P1-001Enable email confirmationBackend3 days
P1-002Fix IDOR in get-user-dataBackend3 days
ID行动项负责人截止日期
P1-001启用邮箱确认功能后端团队3天内
P1-002修复get-user-data中的IDOR问题后端团队3天内

Phase 3: Medium Priority (This Month)

阶段3: 中优先级(本月内)

IDActionOwnerDeadline
P2-001Strengthen password policyBackend14 days
P2-002Restrict CORS originsDevOps14 days
ID行动项负责人截止日期
P2-001强化密码策略后端团队14天内
P2-002限制CORS源DevOps14天内

Appendix

附录

A. Methodology

A. 方法论

This audit was performed using the Supabase Pentest Skills toolkit, which includes:
  • Passive reconnaissance of client-side code
  • API endpoint testing with anon and service keys
  • Storage bucket enumeration and access testing
  • Authentication flow analysis
  • Real-time channel subscription testing
本次审计使用Supabase Pentest Skills工具包执行,包括:
  • 客户端代码的被动侦察
  • 使用anon和service密钥测试API端点
  • 存储桶枚举和访问测试
  • 认证流程分析
  • 实时频道订阅测试

B. Tools Used

B. 使用工具

  • supabase-pentest-skills v1.0.0
  • curl for API testing
  • Browser DevTools for client code analysis
  • supabase-pentest-skills v1.0.0
  • curl(用于API测试)
  • 浏览器开发者工具(用于客户端代码分析)

C. Audit Scope

C. 审计范围

  • Target URL: https://myapp.example.com
  • Supabase Project: abc123def
  • Components tested: API, Storage, Auth, Realtime, Edge Functions
  • Exclusions: None
  • 目标URL: https://myapp.example.com
  • Supabase项目: abc123def
  • 测试组件: API、存储、认证、实时功能、Edge Functions
  • 排除项: 无

D. Audit Log

D. 审计日志

Full audit log available in 
.sb-pentest-audit.log
Report generated by supabase-pentest-skills Audit completed: January 31, 2025 at 15:00 UTC
undefined
完整审计日志可在
.sb-pentest-audit.log
中查看
报告由supabase-pentest-skills生成 审计完成时间: 2025年1月31日 15:00 UTC
undefined

Score Calculation

评分计算规则

The security score is calculated based on:
FactorWeightCalculation
P0 findings-25 per issueCritical vulnerabilities
P1 findings-10 per issueHigh severity issues
P2 findings-5 per issueMedium severity issues
RLS coverage+10 if 100%All tables have RLS
Auth hardening+10Email confirm, strong passwords
Base score100Starting point
安全评分基于以下因素计算:
因素权重计算方式
P0调查结果每个扣25分严重级漏洞
P1调查结果每个扣10分高风险问题
P2调查结果每个扣5分中风险问题
RLS覆盖率100%启用加10分所有表均启用RLS
认证强化加10分启用邮箱确认、强密码
基础分100分起始分数

Grade Scale

等级划分

ScoreGradeDescription
90-100AExcellent security posture
80-89BGood, minor improvements needed
70-79CAcceptable, address issues
60-69DPoor, significant issues
0-59FCritical, immediate action needed
分数区间等级描述
90-100A安全状况优秀
80-89B安全状况良好,需小幅改进
70-79C安全状况可接受,需处理现有问题
60-69D安全状况较差,存在重大问题
0-59F安全状况危急,需立即处理

Context Input

上下文输入

The report generator reads from 
.sb-pentest-context.json
:
json
{
  "target_url": "https://myapp.example.com",
  "supabase": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },
  "findings": [
    {
      "id": "P0-001",
      "severity": "P0",
      "component": "keys",
      "title": "Service Role Key Exposed",
      "description": "...",
      "location": "...",
      "remediation": "..."
    }
  ],
  "audit_completed": "2025-01-31T15:00:00Z"
}
报告生成器会读取
.sb-pentest-context.json
中的数据:
json
{
  "target_url": "https://myapp.example.com",
  "supabase": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },
  "findings": [
    {
      "id": "P0-001",
      "severity": "P0",
      "component": "keys",
      "title": "Service Role Key Exposed",
      "description": "...",
      "location": "...",
      "remediation": "..."
    }
  ],
  "audit_completed": "2025-01-31T15:00:00Z"
}

Report Customization

报告自定义

Include/Exclude Sections

包含/排除指定部分

Generate report without appendix
Generate report with executive summary only
Generate report without appendix
Generate report with executive summary only

Different Formats

生成不同格式

Generate report in JSON format
Generate report summary as HTML
Generate report in JSON format
Generate report summary as HTML

MANDATORY: Context File Dependency

强制要求:依赖上下文文件

⚠️ This skill REQUIRES properly populated tracking files.
⚠️ 本技能需要已正确填充的跟踪文件。

Prerequisites

前置条件

Before generating a report, ensure:
  1. .sb-pentest-context.json
    exists     and contains findings from audit skills
  2. .sb-pentest-audit.log
    exists     with timestamped actions
  3. All relevant audit skills have updated these files
生成报告前,请确保:
  1. .sb-pentest-context.json
    已存在    ,且包含审计技能收集的调查结果
  2. .sb-pentest-audit.log
    已存在    ,包含带时间戳的操作记录
  3. 所有相关审计技能已更新这些文件

If Context Files Are Missing

上下文文件缺失时的处理

If context files are missing or empty:
  1. DO NOT generate an empty report
  2. Inform the user that audit skills must be run first
  3. Recommend running 
    supabase-pentest
    for a complete audit
如果上下文文件缺失或为空:
  1. 不要生成空报告
  2. 告知用户需先运行审计技能
  3. 推荐运行
    supabase-pentest
    进行完整审计

Report Generation Output

报告生成后的强制操作

After generating the report, this skill MUST:
  1. Log to 
    .sb-pentest-audit.log
    :
    [TIMESTAMP] [supabase-report] [START] Generating security report
[TIMESTAMP] [supabase-report] [SUCCESS] Report generated: supabase-audit-report.md
[TIMESTAMP] [supabase-report] [CONTEXT_UPDATED] Report generation logged
  2. Update 
    .sb-pentest-context.json
     with report metadata:
    json
    {
  "report": {
    "generated_at": "...",
    "filename": "supabase-audit-report.md",
    "findings_count": { "p0": 3, "p1": 4, "p2": 5 }
  }
}
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
生成报告后,本技能必须:
  1. 写入
    .sb-pentest-audit.log
    :
    [TIMESTAMP] [supabase-report] [START] Generating security report
[TIMESTAMP] [supabase-report] [SUCCESS] Report generated: supabase-audit-report.md
[TIMESTAMP] [supabase-report] [CONTEXT_UPDATED] Report generation logged
  2. 更新
    .sb-pentest-context.json
    中的报告元数据    :
    json
    {
  "report": {
    "generated_at": "...",
    "filename": "supabase-audit-report.md",
    "findings_count": { "p0": 3, "p1": 4, "p2": 5 }
  }
}
未更新上下文文件属于不可接受的错误。

Related Skills

相关技能

  • supabase-report-compare
    — Compare with previous reports
  • supabase-pentest
    — Run full audit first
  • supabase-help
    — List all available skills
  • supabase-report-compare
    — 与历史报告对比
  • supabase-pentest
    — 先运行完整审计
  • supabase-help
    — 列出所有可用技能