diff --git a/rules/cre-2025-0130/supabase-postgres-port-conflict.yaml b/rules/cre-2025-0130/supabase-postgres-port-conflict.yaml new file mode 100644 index 0000000..6782f57 --- /dev/null +++ b/rules/cre-2025-0130/supabase-postgres-port-conflict.yaml @@ -0,0 +1,67 @@ +rules: + - metadata: + kind: prequel + id: SB1PtGC5QLJQnVmAkV11A + gen: 1 + cre: + id: CRE-2025-0130 + severity: 1 + title: "Supabase Self-Hosted: Postgres Container Fails to Start Due to Port Conflict" + category: "database-problem" + author: Prequel + description: | + Detects when Supabase self-hosted Postgres container fails to start because another service is already using port 5432. + This is a common issue during initial setup or when multiple Postgres instances are running on the same host. + The failure prevents the entire Supabase stack from starting properly. + cause: | + - Another Postgres instance is already running on port 5432 + - Docker port mapping conflict with existing services + - System service (like postgres system package) is using the default Postgres port + - Previous Supabase containers were not properly cleaned up + tags: + - supabase + - postgres + - port-binding + - configuration + - startup-failure + - self-hosted + - container-crash + - public + mitigation: | + IMMEDIATE: + - Stop conflicting Postgres instance: `sudo systemctl stop postgresql` or `docker stop ` + - Change Supabase Postgres port in .env: `POSTGRES_PORT=5433` + - Use Docker port mapping: `-p 5433:5432` instead of `-p 5432:5432` + PREVENTION: + - Check for running services before starting Supabase: `sudo netstat -tlnp | grep :5432` + - Use non-standard ports for self-hosted deployments + - Implement proper cleanup procedures in deployment scripts + references: + - https://supabase.com/docs/guides/self-hosting + - https://docs.docker.com/config/containers/container-networking/ + applications: + - name: postgres + containerName: supabase-db + version: "15.*" + - name: supabase + version: "*" + impact: | + - Complete Supabase stack startup failure + - Database service unavailable + - All dependent services (Auth, REST API, Realtime) cannot start + - Development environment blocked + impactScore: 9 + mitigationScore: 3 + reports: 15 + rule: + set: + window: 5m + event: + source: cre.log.supabase + match: + - regex: 'Error starting userland proxy.*5432.*bind.*address already in use' + - regex: 'Ports are not available.*5432.*bind.*address already in use' + - regex: 'driver failed programming external connectivity.*supabase-db' + - value: "supabase-db" + + diff --git a/rules/cre-2025-0130/test.log b/rules/cre-2025-0130/test.log new file mode 100644 index 0000000..3def40e --- /dev/null +++ b/rules/cre-2025-0130/test.log @@ -0,0 +1,9 @@ +2025-01-28T10:15:30Z ERROR supabase-db Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use +2025-01-28T10:15:30Z ERROR supabase-db driver failed programming external connectivity on endpoint supabase-db: Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use +2025-01-28T10:15:31Z ERROR supabase-db Ports are not available: listen tcp 0.0.0.0:5432: bind: address already in use +2025-01-28T10:15:31Z ERROR supabase-db failed to create task for container: failed to create shim task: OCI runtime create failed: container_linux.go:380: starting container process caused: listen tcp 0.0.0.0:5432: bind: address already in use +2025-01-28T10:15:32Z ERROR supabase-db Error response from daemon: driver failed programming external connectivity on endpoint supabase-db (a1b2c3d4e5f6): Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use +2025-01-28T10:15:32Z ERROR supabase-db Container supabase-db exited with code 125 +2025-01-28T10:15:32Z ERROR supabase-db Service 'db' failed to build: Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use + + diff --git a/rules/cre-2025-0131/supabase-jwt-secret-invalid.yaml b/rules/cre-2025-0131/supabase-jwt-secret-invalid.yaml new file mode 100644 index 0000000..d5efc7f --- /dev/null +++ b/rules/cre-2025-0131/supabase-jwt-secret-invalid.yaml @@ -0,0 +1,72 @@ +rules: + - metadata: + kind: prequel + id: SB2JwtS3cr3tInv4l1dA + gen: 1 + cre: + id: CRE-2025-0131 + severity: 1 + title: "Supabase Self-Hosted: JWT Secret Missing or Invalid Configuration" + category: "authentication" + author: Prequel + description: | + Detects when Supabase self-hosted services fail due to missing, empty, or invalid JWT_SECRET configuration. + This affects Auth service, REST API, and all authentication-dependent operations. Invalid JWT secrets prevent + API token validation and break the entire authentication flow. + cause: | + - JWT_SECRET environment variable is empty or not set + - JWT_SECRET is too short (less than 32 characters) + - JWT_SECRET doesn't match the API keys (ANON_KEY, SERVICE_ROLE_KEY) + - JWT_SECRET contains invalid characters or format + tags: + - supabase + - authentication + - jwt + - configuration + - security + - api-key + - self-hosted + - public + mitigation: | + IMMEDIATE: + - Set valid JWT_SECRET in .env: `JWT_SECRET=your-super-secret-jwt-token-with-at-least-32-characters-long` + - Regenerate API keys if JWT_SECRET was changed: Use Supabase CLI or JWT generator + - Ensure JWT_SECRET matches the secret used to generate ANON_KEY and SERVICE_ROLE_KEY + VERIFICATION: + - Test auth endpoint: `curl http://localhost:8000/auth/v1/user` + - Verify JWT validation: Check service logs for "invalid JWT" errors + PREVENTION: + - Use environment variable validation in deployment scripts + - Store secrets securely (HashiCorp Vault, Kubernetes secrets) + - Document JWT_SECRET requirements in setup guides + references: + - https://supabase.com/docs/guides/self-hosting/docker + - https://jwt.io/introduction/ + - https://supabase.com/docs/learn/auth-deep-dive/auth-deep-dive-jwts + applications: + - name: gotrue + containerName: supabase-auth + version: "v2.*" + - name: postgrest + containerName: supabase-rest + version: "v12.*" + impact: | + - Complete authentication system failure + - API requests return 401 Unauthorized + - Users cannot sign in or access protected resources + - All client applications lose authentication capability + impactScore: 10 + mitigationScore: 4 + reports: 25 + rule: + set: + window: 5m + event: + source: cre.log.supabase + match: + - regex: 'invalid JWT.*secret|JWT_SECRET.*empty|JWT.*validation.*failed' + - regex: 'authentication failed.*JWT|invalid.*token.*signature' + - regex: 'GOTRUE_JWT_SECRET.*required|JWT secret.*too short' + - value: "authentication" + + diff --git a/rules/cre-2025-0131/test.log b/rules/cre-2025-0131/test.log new file mode 100644 index 0000000..03eacdb --- /dev/null +++ b/rules/cre-2025-0131/test.log @@ -0,0 +1,12 @@ +2025-01-28T10:20:15Z ERROR supabase-auth GOTRUE_JWT_SECRET is required but not provided +2025-01-28T10:20:15Z ERROR supabase-auth invalid JWT secret: JWT_SECRET must be at least 32 characters long +2025-01-28T10:20:16Z ERROR supabase-auth authentication failed: invalid JWT signature +2025-01-28T10:20:16Z ERROR supabase-rest JWT validation failed: token signature is invalid +2025-01-28T10:20:17Z ERROR supabase-auth failed to validate JWT token: crypto/rsa: verification error +2025-01-28T10:20:17Z ERROR supabase-rest authentication error: invalid token signature, expected different signing method +2025-01-28T10:20:18Z WARN supabase-auth JWT_SECRET environment variable is empty, using default (INSECURE) +2025-01-28T10:20:18Z ERROR supabase-rest PGRST_JWT_SECRET validation failed: secret too short +2025-01-28T10:20:19Z ERROR supabase-auth cannot decode JWT token: illegal base64 data +2025-01-28T10:20:19Z ERROR supabase-kong authentication plugin error: JWT verification failed + + diff --git a/rules/cre-2025-0132/supabase-database-connection-timeout.yaml b/rules/cre-2025-0132/supabase-database-connection-timeout.yaml new file mode 100644 index 0000000..9de6b6c --- /dev/null +++ b/rules/cre-2025-0132/supabase-database-connection-timeout.yaml @@ -0,0 +1,78 @@ +rules: + - metadata: + kind: prequel + id: SB3DbConn3ct11nT1m31ut + gen: 1 + cre: + id: CRE-2025-0132 + severity: 2 + title: "Supabase Self-Hosted: Database Connection Timeout and Service Failure" + category: "database-problem" + author: Prequel + description: | + Detects when Supabase services lose connection to the PostgreSQL database due to timeouts, network issues, + or database unavailability. This affects Auth, REST API, Storage, and all database-dependent operations. + Occurs during database restarts, network partitions, or when database becomes unresponsive. + cause: | + - PostgreSQL database container stopped or crashed + - Network connectivity issues between services and database + - Database server overloaded and not responding to connections + - Database connection pool exhaustion + - Firewall rules blocking database access + - DNS resolution failures for database hostname + tags: + - supabase + - postgres + - connection + - timeout + - network + - self-hosted + - connectivity + - public + mitigation: | + IMMEDIATE: + - Check database container status: `docker-compose ps db` + - Restart database service: `docker-compose restart db` + - Verify database connectivity: `docker-compose exec db pg_isready -U postgres` + INVESTIGATION: + - Check database logs: `docker-compose logs db` + - Monitor connection pool: Check for connection limit errors + - Verify network connectivity between containers + PREVENTION: + - Implement database health checks with proper timeouts + - Configure connection pooling limits appropriately + - Set up database monitoring and alerting + - Use connection retry logic with exponential backoff + references: + - https://www.postgresql.org/docs/current/runtime-config-connection.html + - https://supabase.com/docs/guides/platform/troubleshooting + applications: + - name: gotrue + containerName: supabase-auth + - name: postgrest + containerName: supabase-rest + - name: storage-api + containerName: supabase-storage + - name: realtime + containerName: supabase-realtime + impact: | + - API requests fail with database connection errors + - User authentication becomes unavailable + - File storage operations fail + - Real-time subscriptions disconnect + - Application becomes unusable until database connectivity is restored + impactScore: 8 + mitigationScore: 5 + reports: 30 + rule: + set: + window: 5m + event: + source: cre.log.supabase + match: + - regex: 'connection.*refused.*5432|timeout.*database|dial tcp.*5432.*connection refused' + - regex: 'failed to connect to.*postgres|database connection.*timeout|connection reset by peer' + - regex: 'could not connect to server|server closed the connection|connection timed out' + - value: "database" + + diff --git a/rules/cre-2025-0132/test.log b/rules/cre-2025-0132/test.log new file mode 100644 index 0000000..ae476a3 --- /dev/null +++ b/rules/cre-2025-0132/test.log @@ -0,0 +1,12 @@ +2025-01-28T10:25:45Z ERROR supabase-auth failed to connect to database: dial tcp 172.20.0.2:5432: connect: connection refused +2025-01-28T10:25:45Z ERROR supabase-rest database connection timeout: could not connect to server: Connection refused +2025-01-28T10:25:46Z ERROR supabase-storage connection to database failed: dial tcp db:5432: i/o timeout +2025-01-28T10:25:46Z ERROR supabase-realtime database health check failed: connection refused (ECONNREFUSED) +2025-01-28T10:25:47Z ERROR supabase-auth pq: server closed the connection unexpectedly +2025-01-28T10:25:47Z ERROR supabase-rest connection reset by peer while connecting to postgres +2025-01-28T10:25:48Z ERROR supabase-storage DATABASE_URL connection failed: timeout expired +2025-01-28T10:25:48Z ERROR supabase-realtime could not connect to database: timeout after 30000ms +2025-01-28T10:25:49Z ERROR supabase-auth database connection lost: An I/O error occurred while sending to the backend +2025-01-28T10:25:49Z ERROR supabase-rest connection to server at "db" (172.20.0.2), port 5432 failed: timeout expired + + diff --git a/rules/cre-2025-0133/supabase-storage-s3-misconfiguration.yaml b/rules/cre-2025-0133/supabase-storage-s3-misconfiguration.yaml new file mode 100644 index 0000000..2c4378b --- /dev/null +++ b/rules/cre-2025-0133/supabase-storage-s3-misconfiguration.yaml @@ -0,0 +1,78 @@ +rules: + - metadata: + kind: prequel + id: SB4St1r4g3S3M1sc1nf1g + gen: 1 + cre: + id: CRE-2025-0133 + severity: 2 + title: "Supabase Self-Hosted: Storage Service Fails Due to S3 Misconfiguration" + category: "storage-problem" + author: Prequel + description: | + Detects when Supabase Storage service fails due to incorrect S3 configuration including invalid credentials, + non-existent buckets, or wrong S3 endpoint settings. This affects file upload/download operations and + prevents the storage API from functioning properly. + cause: | + - Invalid AWS access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + - Non-existent or inaccessible S3 bucket + - Incorrect S3 region configuration + - Wrong S3 endpoint URL (for custom S3-compatible services) + - Insufficient S3 bucket permissions + - Network connectivity issues to S3 service + tags: + - supabase + - storage + - s3 + - aws + - configuration + - api-key + - self-hosted + - infrastructure + - public + mitigation: | + IMMEDIATE: + - Verify S3 credentials: Test with AWS CLI `aws s3 ls s3://your-bucket` + - Check bucket existence and permissions in AWS Console + - Validate S3 region matches configuration + CONFIGURATION: + - Update .env with correct S3 credentials: + ``` + AWS_ACCESS_KEY_ID=valid_access_key + AWS_SECRET_ACCESS_KEY=valid_secret_key + AWS_DEFAULT_REGION=correct_region + S3_BUCKET=existing_bucket_name + ``` + - Ensure S3 bucket policy allows storage service operations + - Test connectivity to S3 endpoint from container network + PREVENTION: + - Use IAM roles instead of access keys when possible + - Implement S3 configuration validation in deployment scripts + - Set up monitoring for S3 API call failures + references: + - https://supabase.com/docs/guides/storage/s3 + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html + applications: + - name: storage-api + containerName: supabase-storage + version: "v1.*" + impact: | + - File upload/download operations fail + - Storage API returns authentication errors + - Users cannot access stored files + - Application features requiring file storage become unavailable + impactScore: 7 + mitigationScore: 4 + reports: 18 + rule: + set: + window: 5m + event: + source: cre.log.storage + match: + - regex: 'AWS.*credentials.*invalid|S3.*authentication.*failed|AccessDenied.*S3' + - regex: 'NoSuchBucket.*does not exist|InvalidAccessKeyId|SignatureDoesNotMatch' + - regex: 'S3.*connection.*failed|unable to connect.*s3|InvalidBucketName' + - value: "storage" + + diff --git a/rules/cre-2025-0133/test.log b/rules/cre-2025-0133/test.log new file mode 100644 index 0000000..3ff49c8 --- /dev/null +++ b/rules/cre-2025-0133/test.log @@ -0,0 +1,11 @@ +2025-01-28T10:30:22Z ERROR supabase-storage AWS credentials are invalid: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records +2025-01-28T10:30:22Z ERROR supabase-storage S3 authentication failed: SignatureDoesNotMatch: The request signature we calculated does not match +2025-01-28T10:30:23Z ERROR supabase-storage S3 operation failed: NoSuchBucket: The specified bucket does not exist: invalid-bucket-name-12345 +2025-01-28T10:30:23Z ERROR supabase-storage unable to connect to S3 endpoint: dial tcp: lookup s3.amazonaws.com: no such host +2025-01-28T10:30:24Z ERROR supabase-storage AccessDenied: Access Denied for bucket operations +2025-01-28T10:30:24Z ERROR supabase-storage S3 connection failed: InvalidBucketName: The specified bucket is not valid +2025-01-28T10:30:25Z ERROR supabase-storage AWS SDK error: credentials: environment credentials not found +2025-01-28T10:30:25Z ERROR supabase-storage storage backend initialization failed: S3 service unavailable +2025-01-28T10:30:26Z ERROR supabase-storage file upload failed: S3 authentication error - check credentials + + diff --git a/rules/cre-2025-0134/supabase-realtime-invalid-config.yaml b/rules/cre-2025-0134/supabase-realtime-invalid-config.yaml new file mode 100644 index 0000000..97fad78 --- /dev/null +++ b/rules/cre-2025-0134/supabase-realtime-invalid-config.yaml @@ -0,0 +1,78 @@ +rules: + - metadata: + kind: prequel + id: SB5R34lt1m3C1nf1gErr1r + gen: 1 + cre: + id: CRE-2025-0134 + severity: 2 + title: "Supabase Self-Hosted: Realtime Service Crash Due to Invalid Configuration" + category: "realtime-problem" + author: Prequel + description: | + Detects when Supabase Realtime service fails to start or crashes due to invalid configuration parameters. + This affects WebSocket connections, real-time subscriptions, and live data streaming capabilities. + Common issues include invalid replication modes, missing database permissions, or incorrect environment variables. + cause: | + - Invalid REPLICATION_MODE configuration value + - Incorrect database connection parameters for realtime + - Missing or wrong DB_ENC_KEY encryption key + - Invalid SECRET_KEY_BASE configuration + - Insufficient database permissions for realtime operations + - Wrong FLY_* configuration parameters in non-Fly environments + tags: + - supabase + - realtime + - configuration + - replication + - connection + - self-hosted + - configuration-failure + - public + mitigation: | + IMMEDIATE: + - Check realtime service logs: `docker-compose logs realtime` + - Validate realtime environment variables in .env + - Ensure database is accessible from realtime service + CONFIGURATION: + - Remove invalid REPLICATION_MODE if not using custom replication + - Verify database connection settings: + ``` + DB_HOST=db + DB_PORT=5432 + DB_USER=supabase_realtime_admin + ``` + - Set valid SECRET_KEY_BASE (64+ character random string) + - Remove FLY_* variables if not deploying on Fly.io + DATABASE: + - Ensure realtime schema exists and has proper permissions + - Check if supabase_realtime_admin role exists and has access + - Verify _realtime schema is properly configured + references: + - https://supabase.com/docs/guides/realtime + - https://github.com/supabase/realtime + applications: + - name: realtime + containerName: supabase-realtime + version: "v2.*" + impact: | + - Real-time subscriptions fail to connect + - WebSocket connections are rejected + - Live data updates stop working + - Real-time features in applications become unavailable + - Database change notifications are not delivered + impactScore: 6 + mitigationScore: 5 + reports: 12 + rule: + set: + window: 5m + event: + source: cre.log.realtime + match: + - regex: 'invalid.*replication.*mode|REPLICATION_MODE.*unknown|realtime.*configuration.*error' + - regex: 'SECRET_KEY_BASE.*invalid|DB_ENC_KEY.*missing|realtime.*startup.*failed' + - regex: 'websocket.*connection.*failed|realtime.*service.*crash|elixir.*application.*failed' + - value: "realtime" + + diff --git a/rules/cre-2025-0134/test.log b/rules/cre-2025-0134/test.log new file mode 100644 index 0000000..4274f31 --- /dev/null +++ b/rules/cre-2025-0134/test.log @@ -0,0 +1,11 @@ +2025-01-28T10:35:10Z ERROR supabase-realtime invalid replication mode: 'invalid_mode' is not a supported replication mode +2025-01-28T10:35:10Z ERROR supabase-realtime REPLICATION_MODE configuration error: unknown value 'invalid_mode' +2025-01-28T10:35:11Z ERROR supabase-realtime realtime configuration error: INVALID_CONFIG_PARAM is not recognized +2025-01-28T10:35:11Z ERROR supabase-realtime SECRET_KEY_BASE must be at least 64 characters long +2025-01-28T10:35:12Z ERROR supabase-realtime DB_ENC_KEY missing or invalid format +2025-01-28T10:35:12Z ERROR supabase-realtime realtime startup failed: configuration validation error +2025-01-28T10:35:13Z ERROR supabase-realtime websocket connection failed: invalid configuration +2025-01-28T10:35:13Z ERROR supabase-realtime elixir application failed to start: configuration error +2025-01-28T10:35:14Z ERROR supabase-realtime realtime service crash: {:error, :invalid_config} + + diff --git a/rules/cre-2025-0135/supabase-migration-errors.yaml b/rules/cre-2025-0135/supabase-migration-errors.yaml new file mode 100644 index 0000000..3121cac --- /dev/null +++ b/rules/cre-2025-0135/supabase-migration-errors.yaml @@ -0,0 +1,79 @@ +rules: + - metadata: + kind: prequel + id: SB6M1gr4t11nSyntaxErr1r + gen: 1 + cre: + id: CRE-2025-0135 + severity: 2 + title: "Supabase Self-Hosted: Database Migration Failures Due to SQL Syntax Errors" + category: "migration-failure" + author: Prequel + description: | + Detects when Supabase database migrations fail due to SQL syntax errors, invalid schema changes, + or constraint violations. Migration failures can leave the database in an inconsistent state and + prevent the application from starting or functioning properly. + cause: | + - SQL syntax errors in migration files + - Invalid data types or column definitions + - Foreign key references to non-existent tables + - Circular foreign key dependencies + - Missing semicolons or malformed SQL statements + - Attempts to create tables/columns that already exist + - Constraint violations or invalid schema modifications + tags: + - supabase + - postgres + - migration-failure + - schema-error + - self-hosted + - configuration + - public + mitigation: | + IMMEDIATE: + - Check database logs for specific SQL error details + - Identify failing migration file and line number + - Stop database container to prevent further damage + RECOVERY: + - Fix SQL syntax errors in migration files + - Remove invalid migration files from migrations directory + - Restore database from backup if migrations corrupted data + - Manually run corrected migrations step by step + VALIDATION: + - Test migrations on development database first + - Use SQL linting tools to validate syntax + - Implement migration rollback procedures + - Add migration validation to CI/CD pipeline + PREVENTION: + - Use database migration tools with validation + - Create database backups before running migrations + - Implement proper foreign key constraint order + - Use transaction-wrapped migrations for atomicity + references: + - https://www.postgresql.org/docs/current/sql-syntax.html + - https://supabase.com/docs/guides/database/database-migrations + applications: + - name: postgres + containerName: supabase-db + version: "15.*" + impact: | + - Database becomes corrupted or inconsistent + - Application startup fails due to missing schema + - Data integrity compromised by failed constraints + - Development environment requires manual intervention + - Production deployment rollback may be required + impactScore: 7 + mitigationScore: 6 + reports: 20 + rule: + set: + window: 5m + event: + source: cre.log.postgres + match: + - regex: 'syntax error at or near|ERROR.*invalid syntax|SQL.*parse error' + - regex: 'relation.*does not exist|column.*does not exist|invalid.*data.*type' + - regex: 'foreign key constraint.*fails|constraint.*violation|migration.*failed' + - value: "migration" + + diff --git a/rules/cre-2025-0135/test.log b/rules/cre-2025-0135/test.log new file mode 100644 index 0000000..9c0d583 --- /dev/null +++ b/rules/cre-2025-0135/test.log @@ -0,0 +1,12 @@ +2025-01-28T10:40:05Z ERROR supabase-db ERROR: syntax error at or near ")" at character 45 +2025-01-28T10:40:05Z ERROR supabase-db ERROR: relation "non_existent_users" does not exist +2025-01-28T10:40:06Z ERROR supabase-db ERROR: type "invalid_data_type" does not exist +2025-01-28T10:40:06Z ERROR supabase-db ERROR: invalid SQL statement in migration 001_invalid_syntax.sql +2025-01-28T10:40:07Z ERROR supabase-db ERROR: foreign key constraint "orders_user_id_fkey" cannot be created +2025-01-28T10:40:07Z ERROR supabase-db ERROR: constraint violation: relation "table_a" does not exist +2025-01-28T10:40:08Z ERROR supabase-db ERROR: column "column1" must appear in the GROUP BY clause +2025-01-28T10:40:08Z ERROR supabase-db migration failed: ERROR: unterminated quoted string +2025-01-28T10:40:09Z ERROR supabase-db ERROR: function "broken_function" already exists with same argument types +2025-01-28T10:40:09Z ERROR supabase-db ERROR: missing FROM-clause entry for table "non_existent_table" + + diff --git a/rules/cre-2025-0136/supabase-auth-port-conflict.yaml b/rules/cre-2025-0136/supabase-auth-port-conflict.yaml new file mode 100644 index 0000000..6fa4157 --- /dev/null +++ b/rules/cre-2025-0136/supabase-auth-port-conflict.yaml @@ -0,0 +1,72 @@ +rules: + - metadata: + kind: prequel + id: SB7Auth1P1rtC1nfl1ctErr + gen: 1 + cre: + id: CRE-2025-0136 + severity: 2 + title: "Supabase Self-Hosted: Auth Service Fails Due to Port Binding Conflict" + category: "authentication" + author: Prequel + description: | + Detects when Supabase Auth service (GoTrue) fails to start because the configured port is already in use + by another service. This prevents user authentication, registration, and all auth-related operations + from functioning in the self-hosted Supabase deployment. + cause: | + - Another service is already using port 9999 (default auth port) + - System service bound to the auth port + - Previous auth container not properly cleaned up + - Docker port mapping conflicts + - Permission denied when trying to bind to privileged ports (< 1024) + tags: + - supabase + - authentication + - port-binding + - configuration + - startup-failure + - self-hosted + - gotrue + - public + mitigation: | + IMMEDIATE: + - Stop conflicting service on port 9999: `sudo lsof -ti:9999 | xargs kill` + - Change auth port in .env: `AUTH_PORT=9998` + - Restart auth service: `docker-compose restart auth` + VERIFICATION: + - Check port availability: `netstat -tlnp | grep :9999` + - Test auth endpoint: `curl http://localhost:9999/health` + - Verify no port binding errors in logs + PREVENTION: + - Use non-standard ports for self-hosted deployments + - Implement port availability checks in deployment scripts + - Document port requirements and conflicts + - Use Docker host networking mode if needed + references: + - https://supabase.com/docs/guides/self-hosting/docker + - https://github.com/supabase/gotrue + applications: + - name: gotrue + containerName: supabase-auth + version: "v2.*" + impact: | + - Authentication service completely unavailable + - Users cannot sign in, register, or manage accounts + - Password reset and email verification fail + - All auth-dependent application features broken + - API returns authentication errors + impactScore: 8 + mitigationScore: 3 + reports: 15 + rule: + set: + window: 5m + event: + source: cre.log.docker + match: + - regex: 'Error starting userland proxy.*:9999.*bind: address already in use' + - regex: 'port is already allocated.*9999|Ports are not available.*:9999' + - regex: 'failed programming external connectivity.*supabase-auth.*9999' + - value: "supabase-auth" + + diff --git a/rules/cre-2025-0136/test.log b/rules/cre-2025-0136/test.log new file mode 100644 index 0000000..aeecbfa --- /dev/null +++ b/rules/cre-2025-0136/test.log @@ -0,0 +1,8 @@ +2025-01-28T10:45:18Z ERROR docker Error starting userland proxy: listen tcp 0.0.0.0:9999: bind: address already in use +2025-01-28T10:45:18Z ERROR docker driver failed programming external connectivity on endpoint supabase-auth: Error starting userland proxy: listen tcp 0.0.0.0:9999: bind: address already in use +2025-01-28T10:45:19Z ERROR docker Ports are not available: listen tcp 0.0.0.0:9999: bind: address already in use +2025-01-28T10:45:19Z ERROR docker failed to create endpoint supabase-auth on network: port is already allocated +2025-01-28T10:45:20Z ERROR compose Container supabase-auth exited with code 125 +2025-01-28T10:45:20Z ERROR docker Error response from daemon: driver failed programming external connectivity on endpoint supabase-auth: Error starting userland proxy: listen tcp 0.0.0.0:9999: bind: address already in use + + diff --git a/rules/cre-2025-0137/supabase-disk-full-migration.yaml b/rules/cre-2025-0137/supabase-disk-full-migration.yaml new file mode 100644 index 0000000..8a22815 --- /dev/null +++ b/rules/cre-2025-0137/supabase-disk-full-migration.yaml @@ -0,0 +1,79 @@ +rules: + - metadata: + kind: prequel + id: SB8D1skFullMigrat11nErr + gen: 1 + cre: + id: CRE-2025-0137 + severity: 1 + title: "Supabase Self-Hosted: Disk Full During Database Migration Operations" + category: "storage-problem" + author: Prequel + description: | + Detects when Supabase PostgreSQL database operations fail due to insufficient disk space during migrations, + data imports, or large transactions. This can corrupt the database, leave migrations in inconsistent state, + and cause complete service failure requiring manual intervention. + cause: | + - Insufficient disk space for database operations + - Large migration files that exceed available storage + - WAL (Write-Ahead Log) files consuming all available space + - Temporary tables or indexes requiring more space than available + - Docker volume size limits reached + - Database backup/restore operations running out of space + tags: + - supabase + - postgres + - disk-full + - storage + - migration-failure + - wal + - self-hosted + - critical-failure + - data-loss-risk + - public + mitigation: | + IMMEDIATE: + - Stop database operations: `docker-compose stop db` + - Check disk usage: `df -h` and `docker system df` + - Free up disk space by removing unnecessary files + - Increase volume size or move to larger storage + RECOVERY: + - Restart database service after freeing space + - Check database integrity: `docker-compose exec db pg_check` + - Manually complete failed migrations if needed + - Restore from backup if database is corrupted + PREVENTION: + - Monitor disk usage continuously + - Set up disk space alerts (< 10% free) + - Use larger Docker volumes for production + - Implement automated cleanup of old WAL files + - Test migrations on staging with similar data volumes + - Configure PostgreSQL to limit WAL retention + references: + - https://www.postgresql.org/docs/current/wal-internals.html + - https://www.postgresql.org/docs/current/disk-usage.html + applications: + - name: postgres + containerName: supabase-db + version: "15.*" + impact: | + - Database corruption and data loss risk + - Incomplete migrations leaving schema in inconsistent state + - Complete service outage until disk space resolved + - Potential need for database restore from backup + - Development/production environment downtime + impactScore: 10 + mitigationScore: 7 + reports: 8 + rule: + set: + window: 5m + event: + source: cre.log.supabase + match: + - regex: 'No space left on device|disk full|insufficient disk space' + - regex: 'could not.*write.*WAL|checkpoint.*failed.*disk full' + - regex: 'ERROR.*disk full|could not extend file.*No space left' + - value: "migration" + + diff --git a/rules/cre-2025-0137/test.log b/rules/cre-2025-0137/test.log new file mode 100644 index 0000000..66cac60 --- /dev/null +++ b/rules/cre-2025-0137/test.log @@ -0,0 +1,10 @@ +2025-01-28T10:50:32Z ERROR supabase-db ERROR: could not write to file "base/13442/16384": No space left on device +2025-01-28T10:50:32Z ERROR supabase-db FATAL: could not write to WAL file: No space left on device +2025-01-28T10:50:33Z ERROR supabase-db ERROR: disk full, could not extend file "base/13442/16385" to 8192 blocks +2025-01-28T10:50:33Z ERROR supabase-db checkpoint request failed: No space left on device +2025-01-28T10:50:34Z ERROR supabase-db ERROR: could not create file "pg_wal/000000010000000000000002": No space left on device +2025-01-28T10:50:34Z ERROR supabase-db FATAL: insufficient disk space for WAL files +2025-01-28T10:50:35Z ERROR supabase-db ERROR: could not write block 1048576 of temporary file: No space left on device +2025-01-28T10:50:35Z ERROR supabase-db migration failed: disk full during large data operation + + diff --git a/rules/cre-2025-0138/supabase-rate-limit-exceeded.yaml b/rules/cre-2025-0138/supabase-rate-limit-exceeded.yaml new file mode 100644 index 0000000..979064e --- /dev/null +++ b/rules/cre-2025-0138/supabase-rate-limit-exceeded.yaml @@ -0,0 +1,83 @@ +rules: + - metadata: + kind: prequel + id: SB9R4t3L1m1tExc33d3dA + gen: 1 + cre: + id: CRE-2025-0138 + severity: 3 + title: "Supabase Self-Hosted: API Rate Limit Exceeded and Request Throttling" + category: "api-problem" + author: Prequel + description: | + Detects when Supabase API requests are being rate-limited due to excessive traffic or aggressive client behavior. + This results in HTTP 429 responses and can indicate DDoS attacks, misconfigured clients, or insufficient + rate limiting configuration for the application's traffic patterns. + cause: | + - Aggressive rate limiting configuration (too low limits) + - Client applications making excessive API requests + - DDoS attack or malicious traffic patterns + - Retry loops in client code causing request amplification + - Missing request caching leading to redundant API calls + - Load testing without appropriate rate limit adjustments + tags: + - supabase + - rate-limiting + - throttling + - proxy + - performance + - self-hosted + - public + mitigation: | + IMMEDIATE: + - Review rate limiting configuration in Kong + - Identify source of excessive requests in logs + - Temporarily increase rate limits if legitimate traffic + - Block malicious IPs if under attack + CONFIGURATION: + - Adjust Kong rate limiting plugin settings: + ```yaml + rate-limiting: + config: + minute: 100 # Increase from current limits + policy: local + ``` + - Implement different limits for different API endpoints + - Use Redis for distributed rate limiting if scaling + CLIENT-SIDE: + - Implement exponential backoff in client retry logic + - Add request caching for frequently accessed data + - Use WebSocket for real-time updates instead of polling + - Implement client-side rate limiting + MONITORING: + - Set up alerts for high rate limit rejection rates + - Monitor API usage patterns and trends + - Track legitimate vs. malicious traffic + references: + - https://docs.konghq.com/hub/kong-inc/rate-limiting/ + - https://supabase.com/docs/guides/platform/rate-limits + applications: + - name: kong + containerName: supabase-kong + version: "2.*" + impact: | + - Legitimate API requests rejected with HTTP 429 + - Application functionality degraded or unavailable + - User experience impacted by failed operations + - Potential service unavailability during traffic spikes + - Client applications may enter error states + impactScore: 5 + mitigationScore: 4 + reports: 22 + rule: + set: + window: 5m + event: + source: cre.log.kong + match: + - regex: 'HTTP.*429.*Too Many Requests|rate limit exceeded|quota exceeded' + - regex: 'rate-limiting.*rejected|API.*throttled|request.*rate limited' + - regex: 'too many requests.*minute|exceeded.*rate.*limit' + - value: "rate-limiting" + + diff --git a/rules/cre-2025-0138/test.log b/rules/cre-2025-0138/test.log new file mode 100644 index 0000000..7510f88 --- /dev/null +++ b/rules/cre-2025-0138/test.log @@ -0,0 +1,9 @@ +2025-01-28T10:55:45Z ERROR supabase-kong HTTP 429 Too Many Requests: rate limit exceeded for API endpoint +2025-01-28T10:55:45Z ERROR supabase-kong rate-limiting plugin rejected request: quota exceeded (5 requests per minute) +2025-01-28T10:55:46Z ERROR supabase-kong API throttled: too many requests from client in 1 minute window +2025-01-28T10:55:46Z ERROR supabase-kong request rate limited: exceeded maximum of 5 requests per minute +2025-01-28T10:55:47Z ERROR supabase-kong rate limit exceeded for consumer 'anon': 429 Too Many Requests +2025-01-28T10:55:47Z ERROR supabase-kong rejected request due to rate limiting policy violation +2025-01-28T10:55:48Z ERROR supabase-kong quota exceeded: client has exceeded their rate limit allocation +2025-01-28T10:55:48Z ERROR supabase-kong too many requests in time window: blocking further requests +2025-01-28T10:55:49Z ERROR supabase-kong rate-limiting: request blocked due to excessive traffic \ No newline at end of file diff --git a/rules/cre-2025-0139/supabase-ssl-certificate-missing.yaml b/rules/cre-2025-0139/supabase-ssl-certificate-missing.yaml new file mode 100644 index 0000000..d38e25c --- /dev/null +++ b/rules/cre-2025-0139/supabase-ssl-certificate-missing.yaml @@ -0,0 +1,87 @@ +rules: + - metadata: + kind: prequel + id: SB11SSLCertM1ss1ngErr1r + gen: 1 + cre: + id: CRE-2025-0139 + severity: 2 + title: "Supabase Self-Hosted: SSL Certificate Missing or Invalid Configuration" + category: "configuration-problem" + author: Prequel + description: | + Detects when Supabase services fail due to missing, invalid, or improperly configured SSL certificates. + This affects HTTPS endpoints, secure WebSocket connections, and can prevent clients from establishing + secure connections to the self-hosted Supabase instance. + cause: | + - SSL certificate files missing from expected paths + - Invalid or corrupted certificate content + - Certificate file permission errors (not readable by service) + - Expired SSL certificates + - Certificate and private key mismatch + - Wrong certificate format or encoding + - SSL configuration enabled but certificates not provided + tags: + - supabase + - ssl + - tls + - certificate-verification + - security + - configuration + - proxy + - self-hosted + - ssl-certificate + - public + mitigation: | + IMMEDIATE: + - Check certificate file existence: `ls -la /path/to/ssl/certs/` + - Verify certificate permissions: `chmod 644 server.crt && chmod 600 server.key` + - Test certificate validity: `openssl x509 -in server.crt -text -noout` + CONFIGURATION: + - Generate self-signed certificate for testing: + ```bash + openssl req -x509 -newkey rsa:2048 -nodes \ + -keyout server.key -out server.crt -days 365 \ + -subj "/CN=localhost" + ``` + - Use Let's Encrypt for production certificates + - Update Kong SSL configuration with correct certificate paths + - Ensure certificate includes necessary Subject Alternative Names (SANs) + VALIDATION: + - Test HTTPS endpoint: `curl -k https://localhost:8443/` + - Verify certificate chain: `openssl verify -verbose server.crt` + - Check certificate expiration: `openssl x509 -in server.crt -noout -dates` + PREVENTION: + - Implement certificate expiration monitoring + - Use automated certificate renewal (certbot) + - Store certificates securely with proper access controls + - Document SSL configuration requirements + references: + - https://docs.konghq.com/latest/configure/auth/tls/ + - https://letsencrypt.org/getting-started/ + - https://www.openssl.org/docs/man1.1.1/man1/openssl-x509.html + applications: + - name: kong + containerName: supabase-kong + version: "2.*" + impact: | + - HTTPS endpoints fail to start or accept connections + - Secure WebSocket connections cannot be established + - Browsers display security warnings for invalid certificates + - API clients fail SSL verification + - Complete loss of secure connectivity + impactScore: 6 + mitigationScore: 5 + reports: 10 + rule: + set: + window: 5m + event: + source: cre.log.kong + match: + - regex: 'SSL.*certificate.*not found|certificate.*file.*missing|SSL.*configuration.*error' + - regex: 'invalid.*certificate|certificate.*verification.*failed|SSL.*handshake.*failed' + - regex: 'permission denied.*certificate|certificate.*expired|SSL.*cert.*invalid' + - value: "ssl" + + diff --git a/rules/cre-2025-0139/test.log b/rules/cre-2025-0139/test.log new file mode 100644 index 0000000..3de20ce --- /dev/null +++ b/rules/cre-2025-0139/test.log @@ -0,0 +1,11 @@ +2025-01-28T11:00:12Z ERROR supabase-kong SSL certificate not found: /etc/ssl/certs/server.crt: no such file or directory +2025-01-28T11:00:12Z ERROR supabase-kong SSL configuration error: certificate file missing or unreadable +2025-01-28T11:00:13Z ERROR supabase-kong invalid certificate format: unable to load certificate +2025-01-28T11:00:13Z ERROR supabase-kong certificate verification failed: invalid certificate content +2025-01-28T11:00:14Z ERROR supabase-kong SSL handshake failed: certificate and key do not match +2025-01-28T11:00:14Z ERROR supabase-kong permission denied reading certificate: /etc/ssl/private/server.key +2025-01-28T11:00:15Z ERROR supabase-kong certificate expired: not valid after 2024-01-01T00:00:00Z +2025-01-28T11:00:15Z ERROR supabase-kong SSL cert invalid: unable to verify certificate chain +2025-01-28T11:00:16Z ERROR supabase-kong TLS configuration failed: missing SSL certificate files + + diff --git a/rules/data-sources.yaml b/rules/data-sources.yaml new file mode 100644 index 0000000..44f2dcf --- /dev/null +++ b/rules/data-sources.yaml @@ -0,0 +1,83 @@ +# Data Sources Configuration for Supabase CRE Rules +# This file defines the log sources used by Supabase self-hosted CRE rules (CRE-2025-0130 through CRE-2025-0139) + +# Docker container logs for port conflicts and startup failures +cre.log.docker: + description: "Docker daemon and container startup logs, used for detecting port conflicts and container failures" + examples: + - "Docker daemon logs from docker-compose or docker run commands" + - "Container startup failure messages" + - "Port binding and networking errors" + common_sources: + - "/var/log/docker.log" + - "docker-compose logs output" + - "journalctl -u docker.service" + +# Supabase service logs (general) +cre.log.supabase: + description: "General Supabase service logs from Auth, REST API, and other core services" + examples: + - "GoTrue (Auth service) logs" + - "PostgREST API logs" + - "Database connection and authentication errors" + common_sources: + - "supabase-auth container logs" + - "supabase-rest container logs" + - "Application logs from Supabase services" + +# PostgreSQL database logs +cre.log.postgres: + description: "PostgreSQL database logs for migration errors, disk space issues, and connection problems" + examples: + - "Migration and schema change logs" + - "Disk space and WAL file errors" + - "Database constraint violations" + common_sources: + - "PostgreSQL container logs" + - "/var/log/postgresql/postgresql-*.log" + - "supabase-db container logs" + +# Storage service logs +cre.log.storage: + description: "Supabase Storage service logs for S3 connectivity and file operations" + examples: + - "S3 authentication and credential errors" + - "Bucket access and permission issues" + - "File upload/download failures" + common_sources: + - "supabase-storage container logs" + - "Storage service application logs" + +# Realtime service logs +cre.log.realtime: + description: "Supabase Realtime service logs for websocket connections and real-time subscriptions" + examples: + - "Elixir application startup errors" + - "Websocket connection failures" + - "Database replication configuration issues" + common_sources: + - "supabase-realtime container logs" + - "Elixir/Phoenix application logs" + +# Kong API Gateway logs +cre.log.kong: + description: "Kong API Gateway logs for rate limiting, SSL issues, and API routing" + examples: + - "Rate limiting and quota enforcement" + - "SSL/TLS certificate errors" + - "API routing and upstream failures" + common_sources: + - "kong container logs" + - "/usr/local/kong/logs/error.log" + - "API gateway access logs" + +# Vector log collector configuration +cre.log.vector: + description: "Vector log aggregation configuration for centralized logging" + examples: + - "Log transformation and routing" + - "Multi-service log aggregation" + - "Structured log parsing" + common_sources: + - "Vector container logs" + - "Centralized logging pipeline output" diff --git a/rules/tags/categories.yaml b/rules/tags/categories.yaml index e61a0cb..9f37f93 100644 --- a/rules/tags/categories.yaml +++ b/rules/tags/categories.yaml @@ -244,3 +244,13 @@ categories: description: | Failures that prevent MongoDB from starting successfully due to corrupted metadata, invalid configurations, or unrecoverable internal errors (e.g., WiredTiger metadata corruption). These failures often require manual repair or backup restoration. + - name: supabase-problem + displayName: Supabase Problems + description: | + Problems specific to Supabase self-hosted deployments including authentication failures, database connectivity issues, + storage misconfigurations, realtime service crashes, and infrastructure-related failures that affect the entire Supabase stack. + - name: realtime-problem + displayName: Realtime Problems + description: | + Failures in real-time communication systems including WebSocket connection issues, real-time subscription failures, + and problems with live data streaming that affect user experience in interactive applications. diff --git a/rules/tags/tags.yaml b/rules/tags/tags.yaml index 1acb1dc..2f0b755 100644 --- a/rules/tags/tags.yaml +++ b/rules/tags/tags.yaml @@ -213,6 +213,9 @@ tags: - name: api-key displayName: Api Key description: Problems related to API keys, such as missing, invalid, or expired credentials + - name: jwt + displayName: JWT + description: Problems related to JSON Web Tokens, such as invalid signatures, expired tokens, or malformed claims - name: async displayName: Async description: Problems related to asynchronous execution, such as hung tasks, race conditions, or callback errors @@ -844,4 +847,16 @@ tags: description: Issues with Kubernetes pod scheduling due to resource constraints or networking problems - name: cluster-scaling displayName: Cluster Scaling - description: Problems related to Kubernetes cluster scaling operations and capacity management \ No newline at end of file + description: Problems related to Kubernetes cluster scaling operations and capacity management + - name: supabase + displayName: Supabase + description: Problems related to Supabase self-hosted deployments and services + - name: gotrue + displayName: GoTrue + description: Problems related to Supabase's GoTrue authentication service + - name: realtime + displayName: Realtime + description: Problems related to Supabase's realtime service and WebSocket connections + - name: self-hosted + displayName: Self-Hosted + description: Problems specific to self-hosted deployments and infrastructure \ No newline at end of file