https://supabase.com/ logo
Join Discord
Powered by
Dangerous default security on views
# help
p
Dangerous default security on views
n
Hello @pocin! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the 
/title
command! We have solved your problem? Click the button below to archive it.
p
Apologies if this is postgres and not supabase specific thing, but i think it deserves a discussion/mention in the docs at the very least. Just created a test project
Copy code
create table public.protecc as (select 1 val);
create view public.protecc_view as (select * from public.protecc);
alter table public.protecc enable row level security;
and the following code
Copy code
import {createClient} from '@supabase/supabase-js'
const SUPABASE_URL = `ADD HERE`
const ANON_KEY = `ADD HERE`

async function main(){

    {
        const { data, error } = await client.from('protecc').select('*')
        console.dir(data, error)
    }
    {
        const {data, error} = await client.from('protecc_view').delete().match({val: 1})
        console.dir(data, error)
    }

}
main().catch(console.log)
any (even anon user (no access token)) can delete from the table (via the view). This means that any public view is by default vulnerable to data corruption/unauthorized access. This at least warrants a big warning in the docs imho, if not an automated check in the UI for views who are owned by user bypassing RLS. I understand this is because view owner is the supabase_admin (who created the view) and it can bypass RLS and I have read https://github.com/supabase/supabase/discussions/1501 https://github.com/supabase/supabase/discussions/2148
my followup question then is: So doing 
alter view public.protecc_view owner to anon
the 
anon
role has ALL grants on all tables by default. This is safe because all tables should have RLS. Correct?
s
I don't think we have any mentions of views in our docs and information in the Postgres docs tells you that the permission of the view owner is what will affect views. I think if a user is using this advanced feature then they should know of its pitfalls from the documentation where they found out about it. I'm not even sure where in the docs we would fit this in since I can't remember seeing any mentions of view in our docs.
n
pocin (2022-04-13)
p
agree i do not see it in the oficial docs (only this old generic post on views https://supabase.com/blog/2020/11/18/postgresql-views ) but this doesnt touch on RLS so no harm done there. I considered myself fairly advanced postgres user (which is completely my own fault) but didnt really know about permissions but this was a sobering moment, at least i got to study and understand more on how permissions work :)) anyway i wanted to point its easy to shoot yourself in the foot with this one given how easy it is to create a view in public schema. Not a bug, but could be a feature.
n
Thread was archived by @pocin. Anyone can send a message to unarchive it.
PreviousNext
Powered by