Add Supabase CREs 140-142 and resolve conflicts

RaghavArora14 · RaghavArora14 · commit 11b7b6418257 · 2025-09-09T10:04:33.000+05:30
- Add CRE-2025-0140: Supabase Realtime Invalid Config - Add CRE-2025-0141: Supabase Disk Full Migration - Add CRE-2025-0142: Supabase SSL Certificate Missing - Update test logs for Kubernetes exit code CREs (134, 137, 139) - Include Kubernetes exit code YAML files from PR #137
diff --git a/rules/cre-2025-0134/cre-exit-134.yaml b/rules/cre-2025-0134/cre-exit-134.yaml
@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: T8tPh6u4Bj7nXidQWbRvvj
+    cre:
+      id: CRE-2025-0134
+      severity: 2
+      title: Container exited 134 due to SIGABRT / assertion failure
+      category: runtime-problem
+      author: CRE Community
+      description: |
+        Exit code 134 indicates the process aborted via SIGABRT, commonly due to failed assertions,
+        allocator checks (e.g., glibc detecting heap corruption), or explicit abort() calls.
+      cause: |
+        - assert(false) / std::abort() in C/C++.
+        - Memory allocator consistency errors (double free, corruption).
+        - Defensive abort on unrecoverable invariant violations.
+      impact: |
+        - Immediate termination of the container; possible loss of in-flight work.
+        - Repeated crashes if the triggering condition is deterministic at startup.
+      tags:
+        - k8s
+        - exit-code
+        - sigabrt
+        - assertion
+        - native
+      mitigation: |
+        - Enable core dumps and symbols; capture backtraces.
+        - Run ASAN/UBSAN builds in staging to localize corruption.
+        - Pin and verify libc/libstdc++ versions; roll back recent native changes.
+      references:
+        - "https://www.gnu.org/software/libc/manual/html_node/Aborting-a-Program.html"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 6
+      mitigationScore: 2
+      reports: 4
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t134$"
diff --git a/rules/cre-2025-0134/test.log b/rules/cre-2025-0134/test.log
@@ -1,11 +1 @@
-2025-01-28T10:35:10Z ERROR   supabase-realtime invalid replication mode: 'invalid_mode' is not a supported replication mode
-2025-01-28T10:35:10Z ERROR   supabase-realtime REPLICATION_MODE configuration error: unknown value 'invalid_mode'
-2025-01-28T10:35:11Z ERROR   supabase-realtime realtime configuration error: INVALID_CONFIG_PARAM is not recognized
-2025-01-28T10:35:11Z ERROR   supabase-realtime SECRET_KEY_BASE must be at least 64 characters long
-2025-01-28T10:35:12Z ERROR   supabase-realtime DB_ENC_KEY missing or invalid format
-2025-01-28T10:35:12Z ERROR   supabase-realtime realtime startup failed: configuration validation error
-2025-01-28T10:35:13Z ERROR   supabase-realtime websocket connection failed: invalid configuration
-2025-01-28T10:35:13Z ERROR   supabase-realtime elixir application failed to start: configuration error
-2025-01-28T10:35:14Z ERROR   supabase-realtime realtime service crash: {:error, :invalid_config}
-
-
+2025-08-27T13:26:39Z	cre-demo/abort-134	aborter	Error	134
diff --git a/rules/cre-2025-0137/cre-exit-137.yaml b/rules/cre-2025-0137/cre-exit-137.yaml
@@ -0,0 +1,50 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: VuPxiuWkYodzUqupa7gh9N
+    cre:
+      id: CRE-2025-0137
+      severity: 1
+      title: Pod terminated with Exit Code 137 due to OOMKilled (memory limit exceeded)
+      category: memory-problem
+      author: CRE Community
+      description: |
+        The container exceeded its memory limit and was killed by the kernel OOM killer.
+        Kubernetes reports a terminated state with Reason=OOMKilled and exitCode=137.
+        This often manifests as CrashLoopBackOff under sustained memory pressure.
+      cause: |
+        - Memory limit too low relative to peak usage.
+        - Sudden traffic spikes causing allocation bursts.
+        - Memory leaks or fragmentation in long-running processes.
+        - Under-provisioned nodes or overly strict pod limits.
+      impact: |
+        - Request errors and latency spikes during restarts.
+        - CrashLoopBackOff and reduced availability.
+        - Potential loss of in-flight work not checkpointed to durable storage.
+      tags:
+        - k8s
+        - exit-code
+        - out-of-memory
+        - memory
+        - crash-loop
+        - reliability
+      mitigation: |
+        - Raise memory requests/limits; add headroom for peak allocations.
+        - Enable profiling and leak detection; tune GC/heap where applicable.
+        - Consider Vertical Pod Autoscaler for right-sizing.
+        - Watch node memory pressure and eviction thresholds.
+      references:
+        - "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-states"
+        - "https://kubernetes.io/docs/tasks/administer-cluster/out-of-resource/"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 6
+      mitigationScore: 2
+      reports: 12
+    rule:
+      set:
+        event:
+          source: cre.log.k8s      
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\tOOMKilled\\t137$"
diff --git a/rules/cre-2025-0137/test.log b/rules/cre-2025-0137/test.log
@@ -1,10 +1 @@
-2025-01-28T10:50:32Z ERROR   supabase-db     ERROR: could not write to file "base/13442/16384": No space left on device
-2025-01-28T10:50:32Z ERROR   supabase-db     FATAL: could not write to WAL file: No space left on device
-2025-01-28T10:50:33Z ERROR   supabase-db     ERROR: disk full, could not extend file "base/13442/16385" to 8192 blocks
-2025-01-28T10:50:33Z ERROR   supabase-db     checkpoint request failed: No space left on device
-2025-01-28T10:50:34Z ERROR   supabase-db     ERROR: could not create file "pg_wal/000000010000000000000002": No space left on device
-2025-01-28T10:50:34Z ERROR   supabase-db     FATAL: insufficient disk space for WAL files
-2025-01-28T10:50:35Z ERROR   supabase-db     ERROR: could not write block 1048576 of temporary file: No space left on device
-2025-01-28T10:50:35Z ERROR   supabase-db     migration failed: disk full during large data operation
-
-
+2025-08-27T11:51:17Z	cre-demo/oom-137	eater	OOMKilled	137
diff --git a/rules/cre-2025-0139/cre-exit-139.yaml b/rules/cre-2025-0139/cre-exit-139.yaml
@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: KHtVUpTbZHaevdn4EABmQEe
+    cre:
+      id: CRE-2025-0139
+      severity: 2
+      title: Container exited 139 due to segmentation fault (SIGSEGV)
+      category: runtime-problem
+      author: CRE Community
+      description: |
+        Exit code 139 indicates SIGSEGV (invalid memory access) in native/runtime code.
+        Frequently caused by unsafe pointer operations, ABI/library mismatches, or native extensions.
+      cause: |
+        - Null dereference or out-of-bounds access in C/C++/Rust unsafe blocks.
+        - Incompatible glibc/musl or driver/library versions.
+        - Faulty JNI/ctypes/native extension code paths.
+      impact: |
+        - Hard crash; requests being processed may be dropped.
+        - Repeated crashes if the segfault occurs deterministically at startup.
+      tags:
+        - k8s
+        - exit-code
+        - segfault
+        - native
+        - reliability
+      mitigation: |
+        - Enable core dumps and symbol files; capture stack traces.
+        - Pin compatible base image/libc; verify ABI expectations.
+        - Use ASAN/UBSAN builds; bisect recent native/library changes.
+      references:
+        - "https://man7.org/linux/man-pages/man7/signal.7.html"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 7
+      mitigationScore: 2
+      reports: 5
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t139$"
diff --git a/rules/cre-2025-0139/test.log b/rules/cre-2025-0139/test.log
@@ -1,11 +1 @@
-2025-01-28T11:00:12Z ERROR   supabase-kong   SSL certificate not found: /etc/ssl/certs/server.crt: no such file or directory
-2025-01-28T11:00:12Z ERROR   supabase-kong   SSL configuration error: certificate file missing or unreadable
-2025-01-28T11:00:13Z ERROR   supabase-kong   invalid certificate format: unable to load certificate
-2025-01-28T11:00:13Z ERROR   supabase-kong   certificate verification failed: invalid certificate content
-2025-01-28T11:00:14Z ERROR   supabase-kong   SSL handshake failed: certificate and key do not match
-2025-01-28T11:00:14Z ERROR   supabase-kong   permission denied reading certificate: /etc/ssl/private/server.key
-2025-01-28T11:00:15Z ERROR   supabase-kong   certificate expired: not valid after 2024-01-01T00:00:00Z
-2025-01-28T11:00:15Z ERROR   supabase-kong   SSL cert invalid: unable to verify certificate chain
-2025-01-28T11:00:16Z ERROR   supabase-kong   TLS configuration failed: missing SSL certificate files
-
-
+2025-08-27T13:32:40Z	cre-demo/segv-139	segv	Error	139
diff --git a/rules/cre-2025-0140/supabase-realtime-invalid-config.yaml b/rules/cre-2025-0140/supabase-realtime-invalid-config.yaml
@@ -0,0 +1,78 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: SB5R34lt1m3C1nf1gErr1r
+      gen: 1
+    cre:
+      id: CRE-2025-0140
+      severity: 2
+      title: "Supabase Self-Hosted: Realtime Service Crash Due to Invalid Configuration"
+      category: "realtime-problem"
+      author: Prequel
+      description: |
+        Detects when Supabase Realtime service fails to start or crashes due to invalid configuration parameters.
+        This affects WebSocket connections, real-time subscriptions, and live data streaming capabilities.
+        Common issues include invalid replication modes, missing database permissions, or incorrect environment variables.
+      cause: |
+        - Invalid REPLICATION_MODE configuration value
+        - Incorrect database connection parameters for realtime
+        - Missing or wrong DB_ENC_KEY encryption key
+        - Invalid SECRET_KEY_BASE configuration
+        - Insufficient database permissions for realtime operations
+        - Wrong FLY_* configuration parameters in non-Fly environments
+      tags:
+        - supabase
+        - realtime
+        - configuration
+        - replication
+        - connection
+        - self-hosted
+        - configuration-failure
+        - public
+      mitigation: |
+        IMMEDIATE:
+          - Check realtime service logs: `docker-compose logs realtime`
+          - Validate realtime environment variables in .env
+          - Ensure database is accessible from realtime service
+        CONFIGURATION:
+          - Remove invalid REPLICATION_MODE if not using custom replication
+          - Verify database connection settings:
+            ```
+            DB_HOST=db
+            DB_PORT=5432
+            DB_USER=supabase_realtime_admin
+            ```
+          - Set valid SECRET_KEY_BASE (64+ character random string)
+          - Remove FLY_* variables if not deploying on Fly.io
+        DATABASE:
+          - Ensure realtime schema exists and has proper permissions
+          - Check if supabase_realtime_admin role exists and has access
+          - Verify _realtime schema is properly configured
+      references:
+        - https://supabase.com/docs/guides/realtime
+        - https://github.com/supabase/realtime
+      applications:
+        - name: realtime
+          containerName: supabase-realtime
+          version: "v2.*"
+      impact: |
+        - Real-time subscriptions fail to connect
+        - WebSocket connections are rejected
+        - Live data updates stop working
+        - Real-time features in applications become unavailable
+        - Database change notifications are not delivered
+      impactScore: 6
+      mitigationScore: 5
+      reports: 12
+    rule:
+      set:
+        window: 5m
+        event:
+          source: cre.log.realtime
+        match:
+          - regex: 'invalid.*replication.*mode|REPLICATION_MODE.*unknown|realtime.*configuration.*error'
+          - regex: 'SECRET_KEY_BASE.*invalid|DB_ENC_KEY.*missing|realtime.*startup.*failed'
+          - regex: 'websocket.*connection.*failed|realtime.*service.*crash|elixir.*application.*failed'
+          - value: "realtime"
+
+
diff --git a/rules/cre-2025-0140/test.log b/rules/cre-2025-0140/test.log
@@ -0,0 +1,11 @@
+2025-01-28T10:35:10Z ERROR   supabase-realtime invalid replication mode: 'invalid_mode' is not a supported replication mode
+2025-01-28T10:35:10Z ERROR   supabase-realtime REPLICATION_MODE configuration error: unknown value 'invalid_mode'
+2025-01-28T10:35:11Z ERROR   supabase-realtime realtime configuration error: INVALID_CONFIG_PARAM is not recognized
+2025-01-28T10:35:11Z ERROR   supabase-realtime SECRET_KEY_BASE must be at least 64 characters long
+2025-01-28T10:35:12Z ERROR   supabase-realtime DB_ENC_KEY missing or invalid format
+2025-01-28T10:35:12Z ERROR   supabase-realtime realtime startup failed: configuration validation error
+2025-01-28T10:35:13Z ERROR   supabase-realtime websocket connection failed: invalid configuration
+2025-01-28T10:35:13Z ERROR   supabase-realtime elixir application failed to start: configuration error
+2025-01-28T10:35:14Z ERROR   supabase-realtime realtime service crash: {:error, :invalid_config}
+
+
diff --git a/rules/cre-2025-0141/supabase-disk-full-migration.yaml b/rules/cre-2025-0141/supabase-disk-full-migration.yaml
@@ -0,0 +1,79 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: SB8D1skFullMigrat11nErr
+      gen: 1
+    cre:
+      id: CRE-2025-0141
+      severity: 1
+      title: "Supabase Self-Hosted: Disk Full During Database Migration Operations"
+      category: "storage-problem"
+      author: Prequel
+      description: |
+        Detects when Supabase PostgreSQL database operations fail due to insufficient disk space during migrations,
+        data imports, or large transactions. This can corrupt the database, leave migrations in inconsistent state,
+        and cause complete service failure requiring manual intervention.
+      cause: |
+        - Insufficient disk space for database operations
+        - Large migration files that exceed available storage
+        - WAL (Write-Ahead Log) files consuming all available space
+        - Temporary tables or indexes requiring more space than available
+        - Docker volume size limits reached
+        - Database backup/restore operations running out of space
+      tags:
+        - supabase
+        - postgres
+        - disk-full
+        - storage
+        - migration-failure
+        - wal
+        - self-hosted
+        - critical-failure
+        - data-loss-risk
+        - public
+      mitigation: |
+        IMMEDIATE:
+          - Stop database operations: `docker-compose stop db`
+          - Check disk usage: `df -h` and `docker system df`
+          - Free up disk space by removing unnecessary files
+          - Increase volume size or move to larger storage
+        RECOVERY:
+          - Restart database service after freeing space
+          - Check database integrity: `docker-compose exec db pg_check`
+          - Manually complete failed migrations if needed
+          - Restore from backup if database is corrupted
+        PREVENTION:
+          - Monitor disk usage continuously
+          - Set up disk space alerts (< 10% free)
+          - Use larger Docker volumes for production
+          - Implement automated cleanup of old WAL files
+          - Test migrations on staging with similar data volumes
+          - Configure PostgreSQL to limit WAL retention
+      references:
+        - https://www.postgresql.org/docs/current/wal-internals.html
+        - https://www.postgresql.org/docs/current/disk-usage.html
+      applications:
+        - name: postgres
+          containerName: supabase-db
+          version: "15.*"
+      impact: |
+        - Database corruption and data loss risk
+        - Incomplete migrations leaving schema in inconsistent state  
+        - Complete service outage until disk space resolved
+        - Potential need for database restore from backup
+        - Development/production environment downtime
+      impactScore: 10
+      mitigationScore: 7
+      reports: 8
+    rule:
+      set:
+        window: 5m
+        event:
+          source: cre.log.supabase
+        match:
+          - regex: 'No space left on device|disk full|insufficient disk space'
+          - regex: 'could not.*write.*WAL|checkpoint.*failed.*disk full'
+          - regex: 'ERROR.*disk full|could not extend file.*No space left'
+          - value: "migration"
+
+
diff --git a/rules/cre-2025-0141/test.log b/rules/cre-2025-0141/test.log
@@ -0,0 +1,10 @@
+2025-01-28T10:50:32Z ERROR   supabase-db     ERROR: could not write to file "base/13442/16384": No space left on device
+2025-01-28T10:50:32Z ERROR   supabase-db     FATAL: could not write to WAL file: No space left on device
+2025-01-28T10:50:33Z ERROR   supabase-db     ERROR: disk full, could not extend file "base/13442/16385" to 8192 blocks
+2025-01-28T10:50:33Z ERROR   supabase-db     checkpoint request failed: No space left on device
+2025-01-28T10:50:34Z ERROR   supabase-db     ERROR: could not create file "pg_wal/000000010000000000000002": No space left on device
+2025-01-28T10:50:34Z ERROR   supabase-db     FATAL: insufficient disk space for WAL files
+2025-01-28T10:50:35Z ERROR   supabase-db     ERROR: could not write block 1048576 of temporary file: No space left on device
+2025-01-28T10:50:35Z ERROR   supabase-db     migration failed: disk full during large data operation
+
+
diff --git a/rules/cre-2025-0142/supabase-ssl-certificate-missing.yaml b/rules/cre-2025-0142/supabase-ssl-certificate-missing.yaml
diff --git a/rules/cre-2025-0142/test.log b/rules/cre-2025-0142/test.log
