prequel-dev · RaghavArora14 · Aug 31, 2025 · Aug 31, 2025 · Aug 31, 2025 · Aug 31, 2025
diff --git a/rules/cre-2025-0130/supabase-postgres-port-conflict.yaml b/rules/cre-2025-0130/supabase-postgres-port-conflict.yaml
@@ -0,0 +1,67 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: SB1PtGC5QLJQnVmAkV11A
+      gen: 1
+    cre:
+      id: CRE-2025-0130
+      severity: 1
+      title: "Supabase Self-Hosted: Postgres Container Fails to Start Due to Port Conflict"
+      category: "database-problem"
+      author: Prequel
+      description: |
+        Detects when Supabase self-hosted Postgres container fails to start because another service is already using port 5432.
+        This is a common issue during initial setup or when multiple Postgres instances are running on the same host.
+        The failure prevents the entire Supabase stack from starting properly.
+      cause: |
+        - Another Postgres instance is already running on port 5432
+        - Docker port mapping conflict with existing services
+        - System service (like postgres system package) is using the default Postgres port
+        - Previous Supabase containers were not properly cleaned up
+      tags:
+        - supabase
+        - postgres
+        - port-binding
+        - configuration
+        - startup-failure
+        - self-hosted
+        - container-crash
+        - public
+      mitigation: |
+        IMMEDIATE:
+          - Stop conflicting Postgres instance: `sudo systemctl stop postgresql` or `docker stop <postgres-container>`
+          - Change Supabase Postgres port in .env: `POSTGRES_PORT=5433`
+          - Use Docker port mapping: `-p 5433:5432` instead of `-p 5432:5432`
+        PREVENTION:
+          - Check for running services before starting Supabase: `sudo netstat -tlnp | grep :5432`
+          - Use non-standard ports for self-hosted deployments
+          - Implement proper cleanup procedures in deployment scripts
+      references:
+        - https://supabase.com/docs/guides/self-hosting
+        - https://docs.docker.com/config/containers/container-networking/
+      applications:
+        - name: postgres
+          containerName: supabase-db
+          version: "15.*"
+        - name: supabase
+          version: "*"
+      impact: |
+        - Complete Supabase stack startup failure
+        - Database service unavailable
+        - All dependent services (Auth, REST API, Realtime) cannot start
+        - Development environment blocked
+      impactScore: 9
+      mitigationScore: 3
+      reports: 15
+    rule:
+      set:
+        window: 5m
+        event:
+          source: cre.log.supabase
+        match:
+          - regex: 'Error starting userland proxy.*5432.*bind.*address already in use'
+          - regex: 'Ports are not available.*5432.*bind.*address already in use'
+          - regex: 'driver failed programming external connectivity.*supabase-db'
+          - value: "supabase-db"
+
+
diff --git a/rules/cre-2025-0130/test.log b/rules/cre-2025-0130/test.log
@@ -0,0 +1,9 @@
+2025-01-28T10:15:30Z ERROR   supabase-db     Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use
+2025-01-28T10:15:30Z ERROR   supabase-db     driver failed programming external connectivity on endpoint supabase-db: Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use
+2025-01-28T10:15:31Z ERROR   supabase-db     Ports are not available: listen tcp 0.0.0.0:5432: bind: address already in use
+2025-01-28T10:15:31Z ERROR   supabase-db     failed to create task for container: failed to create shim task: OCI runtime create failed: container_linux.go:380: starting container process caused: listen tcp 0.0.0.0:5432: bind: address already in use
+2025-01-28T10:15:32Z ERROR   supabase-db     Error response from daemon: driver failed programming external connectivity on endpoint supabase-db (a1b2c3d4e5f6): Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use
+2025-01-28T10:15:32Z ERROR   supabase-db     Container supabase-db  exited with code 125
+2025-01-28T10:15:32Z ERROR   supabase-db     Service 'db' failed to build: Error starting userland proxy: listen tcp 0.0.0.0:5432: bind: address already in use
+
+
diff --git a/rules/cre-2025-0131/supabase-jwt-secret-invalid.yaml b/rules/cre-2025-0131/supabase-jwt-secret-invalid.yaml
@@ -0,0 +1,72 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: SB2JwtS3cr3tInv4l1dA
+      gen: 1
+    cre:
+      id: CRE-2025-0131
+      severity: 1
+      title: "Supabase Self-Hosted: JWT Secret Missing or Invalid Configuration"
+      category: "authentication"
+      author: Prequel
+      description: |
+        Detects when Supabase self-hosted services fail due to missing, empty, or invalid JWT_SECRET configuration.
+        This affects Auth service, REST API, and all authentication-dependent operations. Invalid JWT secrets prevent
+        API token validation and break the entire authentication flow.
+      cause: |
+        - JWT_SECRET environment variable is empty or not set
+        - JWT_SECRET is too short (less than 32 characters)
+        - JWT_SECRET doesn't match the API keys (ANON_KEY, SERVICE_ROLE_KEY)
+        - JWT_SECRET contains invalid characters or format
+      tags:
+        - supabase
+        - authentication
+        - jwt
+        - configuration
+        - security
+        - api-key
+        - self-hosted
+        - public
+      mitigation: |
+        IMMEDIATE:
+          - Set valid JWT_SECRET in .env: `JWT_SECRET=your-super-secret-jwt-token-with-at-least-32-characters-long`
+          - Regenerate API keys if JWT_SECRET was changed: Use Supabase CLI or JWT generator
+          - Ensure JWT_SECRET matches the secret used to generate ANON_KEY and SERVICE_ROLE_KEY
+        VERIFICATION:
+          - Test auth endpoint: `curl http://localhost:8000/auth/v1/user`
+          - Verify JWT validation: Check service logs for "invalid JWT" errors
+        PREVENTION:
+          - Use environment variable validation in deployment scripts
+          - Store secrets securely (HashiCorp Vault, Kubernetes secrets)
+          - Document JWT_SECRET requirements in setup guides
+      references:
+        - https://supabase.com/docs/guides/self-hosting/docker
+        - https://jwt.io/introduction/
+        - https://supabase.com/docs/learn/auth-deep-dive/auth-deep-dive-jwts
+      applications:
+        - name: gotrue
+          containerName: supabase-auth
+          version: "v2.*"
+        - name: postgrest
+          containerName: supabase-rest
+          version: "v12.*"
+      impact: |
+        - Complete authentication system failure
+        - API requests return 401 Unauthorized
+        - Users cannot sign in or access protected resources
+        - All client applications lose authentication capability
+      impactScore: 10
+      mitigationScore: 4
+      reports: 25
+    rule:
+      set:
+        window: 5m
+        event:
+          source: cre.log.supabase
+        match:
+          - regex: 'invalid JWT.*secret|JWT_SECRET.*empty|JWT.*validation.*failed'
+          - regex: 'authentication failed.*JWT|invalid.*token.*signature'
+          - regex: 'GOTRUE_JWT_SECRET.*required|JWT secret.*too short'
+          - value: "authentication"
+
+
diff --git a/rules/cre-2025-0131/test.log b/rules/cre-2025-0131/test.log
@@ -0,0 +1,12 @@
+2025-01-28T10:20:15Z ERROR   supabase-auth    GOTRUE_JWT_SECRET is required but not provided
+2025-01-28T10:20:15Z ERROR   supabase-auth    invalid JWT secret: JWT_SECRET must be at least 32 characters long
+2025-01-28T10:20:16Z ERROR   supabase-auth    authentication failed: invalid JWT signature
+2025-01-28T10:20:16Z ERROR   supabase-rest    JWT validation failed: token signature is invalid
+2025-01-28T10:20:17Z ERROR   supabase-auth    failed to validate JWT token: crypto/rsa: verification error
+2025-01-28T10:20:17Z ERROR   supabase-rest    authentication error: invalid token signature, expected different signing method
+2025-01-28T10:20:18Z WARN    supabase-auth    JWT_SECRET environment variable is empty, using default (INSECURE)
+2025-01-28T10:20:18Z ERROR   supabase-rest    PGRST_JWT_SECRET validation failed: secret too short
+2025-01-28T10:20:19Z ERROR   supabase-auth    cannot decode JWT token: illegal base64 data
+2025-01-28T10:20:19Z ERROR   supabase-kong    authentication plugin error: JWT verification failed
+
+
diff --git a/rules/cre-2025-0132/supabase-database-connection-timeout.yaml b/rules/cre-2025-0132/supabase-database-connection-timeout.yaml
@@ -0,0 +1,78 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: SB3DbConn3ct11nT1m31ut
+      gen: 1
+    cre:
+      id: CRE-2025-0132
+      severity: 2
+      title: "Supabase Self-Hosted: Database Connection Timeout and Service Failure"
+      category: "database-problem"
+      author: Prequel
+      description: |
+        Detects when Supabase services lose connection to the PostgreSQL database due to timeouts, network issues,
+        or database unavailability. This affects Auth, REST API, Storage, and all database-dependent operations.
+        Occurs during database restarts, network partitions, or when database becomes unresponsive.
+      cause: |
+        - PostgreSQL database container stopped or crashed
+        - Network connectivity issues between services and database
+        - Database server overloaded and not responding to connections
+        - Database connection pool exhaustion
+        - Firewall rules blocking database access
+        - DNS resolution failures for database hostname
+      tags:
+        - supabase
+        - postgres
+        - connection
+        - timeout
+        - network
+        - self-hosted
+        - connectivity
+        - public
+      mitigation: |
+        IMMEDIATE:
+          - Check database container status: `docker-compose ps db`
+          - Restart database service: `docker-compose restart db`
+          - Verify database connectivity: `docker-compose exec db pg_isready -U postgres`
+        INVESTIGATION:
+          - Check database logs: `docker-compose logs db`
+          - Monitor connection pool: Check for connection limit errors
+          - Verify network connectivity between containers
+        PREVENTION:
+          - Implement database health checks with proper timeouts
+          - Configure connection pooling limits appropriately
+          - Set up database monitoring and alerting
+          - Use connection retry logic with exponential backoff
+      references:
+        - https://www.postgresql.org/docs/current/runtime-config-connection.html
+        - https://supabase.com/docs/guides/platform/troubleshooting
+      applications:
+        - name: gotrue
+          containerName: supabase-auth
+        - name: postgrest
+          containerName: supabase-rest
+        - name: storage-api
+          containerName: supabase-storage
+        - name: realtime
+          containerName: supabase-realtime
+      impact: |
+        - API requests fail with database connection errors
+        - User authentication becomes unavailable
+        - File storage operations fail
+        - Real-time subscriptions disconnect
+        - Application becomes unusable until database connectivity is restored
+      impactScore: 8
+      mitigationScore: 5
+      reports: 30
+    rule:
+      set:
+        window: 5m
+        event:
+          source: cre.log.supabase
+        match:
+          - regex: 'connection.*refused.*5432|timeout.*database|dial tcp.*5432.*connection refused'
+          - regex: 'failed to connect to.*postgres|database connection.*timeout|connection reset by peer'
+          - regex: 'could not connect to server|server closed the connection|connection timed out'
+          - value: "database"
+
+
diff --git a/rules/cre-2025-0132/test.log b/rules/cre-2025-0132/test.log
@@ -0,0 +1,12 @@
+2025-01-28T10:25:45Z ERROR   supabase-auth    failed to connect to database: dial tcp 172.20.0.2:5432: connect: connection refused
+2025-01-28T10:25:45Z ERROR   supabase-rest    database connection timeout: could not connect to server: Connection refused
+2025-01-28T10:25:46Z ERROR   supabase-storage connection to database failed: dial tcp db:5432: i/o timeout
+2025-01-28T10:25:46Z ERROR   supabase-realtime database health check failed: connection refused (ECONNREFUSED)
+2025-01-28T10:25:47Z ERROR   supabase-auth    pq: server closed the connection unexpectedly
+2025-01-28T10:25:47Z ERROR   supabase-rest    connection reset by peer while connecting to postgres
+2025-01-28T10:25:48Z ERROR   supabase-storage DATABASE_URL connection failed: timeout expired
+2025-01-28T10:25:48Z ERROR   supabase-realtime could not connect to database: timeout after 30000ms
+2025-01-28T10:25:49Z ERROR   supabase-auth    database connection lost: An I/O error occurred while sending to the backend
+2025-01-28T10:25:49Z ERROR   supabase-rest    connection to server at "db" (172.20.0.2), port 5432 failed: timeout expired
+
+
diff --git a/rules/cre-2025-0133/supabase-storage-s3-misconfiguration.yaml b/rules/cre-2025-0133/supabase-storage-s3-misconfiguration.yaml
@@ -0,0 +1,78 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: SB4St1r4g3S3M1sc1nf1g
+      gen: 1
+    cre:
+      id: CRE-2025-0133
+      severity: 2
+      title: "Supabase Self-Hosted: Storage Service Fails Due to S3 Misconfiguration"
+      category: "storage-problem"
+      author: Prequel
+      description: |
+        Detects when Supabase Storage service fails due to incorrect S3 configuration including invalid credentials,
+        non-existent buckets, or wrong S3 endpoint settings. This affects file upload/download operations and
+        prevents the storage API from functioning properly.
+      cause: |
+        - Invalid AWS access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+        - Non-existent or inaccessible S3 bucket
+        - Incorrect S3 region configuration
+        - Wrong S3 endpoint URL (for custom S3-compatible services)
+        - Insufficient S3 bucket permissions
+        - Network connectivity issues to S3 service
+      tags:
+        - supabase
+        - storage
+        - s3
+        - aws
+        - configuration
+        - api-key
+        - self-hosted
+        - infrastructure
+        - public
+      mitigation: |
+        IMMEDIATE:
+          - Verify S3 credentials: Test with AWS CLI `aws s3 ls s3://your-bucket`
+          - Check bucket existence and permissions in AWS Console
+          - Validate S3 region matches configuration
+        CONFIGURATION:
+          - Update .env with correct S3 credentials:
+            ```
+            AWS_ACCESS_KEY_ID=valid_access_key
+            AWS_SECRET_ACCESS_KEY=valid_secret_key
+            AWS_DEFAULT_REGION=correct_region
+            S3_BUCKET=existing_bucket_name
+            ```
+          - Ensure S3 bucket policy allows storage service operations
+          - Test connectivity to S3 endpoint from container network
+        PREVENTION:
+          - Use IAM roles instead of access keys when possible
+          - Implement S3 configuration validation in deployment scripts
+          - Set up monitoring for S3 API call failures
+      references:
+        - https://supabase.com/docs/guides/storage/s3
+        - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
+      applications:
+        - name: storage-api
+          containerName: supabase-storage
+          version: "v1.*"
+      impact: |
+        - File upload/download operations fail
+        - Storage API returns authentication errors
+        - Users cannot access stored files
+        - Application features requiring file storage become unavailable
+      impactScore: 7
+      mitigationScore: 4
+      reports: 18
+    rule:
+      set:
+        window: 5m
+        event:
+          source: cre.log.storage
+        match:
+          - regex: 'AWS.*credentials.*invalid|S3.*authentication.*failed|AccessDenied.*S3'
+          - regex: 'NoSuchBucket.*does not exist|InvalidAccessKeyId|SignatureDoesNotMatch'
+          - regex: 'S3.*connection.*failed|unable to connect.*s3|InvalidBucketName'
+          - value: "storage"
+
+
diff --git a/rules/cre-2025-0133/test.log b/rules/cre-2025-0133/test.log
@@ -0,0 +1,11 @@
+2025-01-28T10:30:22Z ERROR   supabase-storage AWS credentials are invalid: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records
+2025-01-28T10:30:22Z ERROR   supabase-storage S3 authentication failed: SignatureDoesNotMatch: The request signature we calculated does not match
+2025-01-28T10:30:23Z ERROR   supabase-storage S3 operation failed: NoSuchBucket: The specified bucket does not exist: invalid-bucket-name-12345
+2025-01-28T10:30:23Z ERROR   supabase-storage unable to connect to S3 endpoint: dial tcp: lookup s3.amazonaws.com: no such host
+2025-01-28T10:30:24Z ERROR   supabase-storage AccessDenied: Access Denied for bucket operations
+2025-01-28T10:30:24Z ERROR   supabase-storage S3 connection failed: InvalidBucketName: The specified bucket is not valid
+2025-01-28T10:30:25Z ERROR   supabase-storage AWS SDK error: credentials: environment credentials not found
+2025-01-28T10:30:25Z ERROR   supabase-storage storage backend initialization failed: S3 service unavailable
+2025-01-28T10:30:26Z ERROR   supabase-storage file upload failed: S3 authentication error - check credentials
+
+