Skip to content

CRE-2025-0163: Supabase Self-Hosted Critical Failures - Comprehensive Detection #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

CRE-2025-0163: Supabase Self-Hosted Critical Failures - Comprehensive Detection #154

wants to merge 2 commits into from

Conversation

piyzard
Copy link
Contributor

@piyzard piyzard commented Sep 1, 2025
edited
Loading

CRE-2025-0163: Supabase Self-Hosted Critical Failures - Comprehensive Detection

closes #131
/claim #131

🎯 Overview

This PR introduces a comprehensive detection rule for Supabase self-hosted deployment failures - addressing critical infrastructure, configuration, and application-level issues that completely break Supabase deployments. The rule identifies 40+ distinct failure patterns across PostgreSQL, Auth, Storage, Realtime, and API Gateway components, enabling rapid incident response for complete service outages.

CRE Playground Links

CRE-2025-0163 Playground: Test Rule

📊 Supabase Failure Modes Covered

🔴 Infrastructure Failures (Critical)

# Component Error Pattern Severity
1 PostgreSQL Port Conflict Error: listen EADDRINUSE :5432 CRITICAL
2 Auth Service Port Conflict bind: address already in use :9999 CRITICAL
3 Disk Space Exhaustion No space left on device CRITICAL
4 SSL Certificate Expired SSL certificate expired HIGH
5 TLS Handshake Failure TLS handshake failed HIGH

🔐 Authentication & Security Failures

# Component Error Pattern Impact
6 Missing JWT Secret JWT_SECRET not set Complete auth failure
7 Invalid JWT Secret invalid jwt secret No user authentication
8 JWT Secret Too Short JWT secret too short Security vulnerability
9 Certificate Verification certificate verify failed Insecure connections

🗄️ Database Connection Failures

# Component Error Pattern Service Impact
10 Connection Timeout connection timeout Service degradation
11 Database Unreachable could not connect database Complete DB failure
12 Timeout Expired timeout expired Query failures
13 Connection Pool Exhausted too many connections New connections blocked

📦 Storage Service Failures (S3)

# Component Error Pattern Business Impact
14 S3 Access Denied S3 AccessDenied No file uploads
15 Invalid Access Key InvalidAccessKeyId Storage auth failure
16 Bucket Not Found NoSuchBucket Missing storage backend
17 Storage Permissions Permission denied Read/write failures

🔄 Realtime & WebSocket Failures

# Component Error Pattern Feature Impact
18 Realtime Service Down Realtime failed to start No live updates
19 WebSocket Refused websocket connection refused No subscriptions
20 Channel Subscription Fail subscription failed Missing events

🚨 Migration & Schema Failures

# Component Error Pattern Data Impact
21 SQL Syntax Error ERROR syntax error at or near Migration blocked
22 Migration Failed migration failed invalid SQL Schema corruption
23 Missing Relations relation does not exist Query failures
24 Schema Version Mismatch schema version conflict Inconsistent state

⚡ API Gateway & Rate Limiting

# Component Error Pattern User Impact
25 Rate Limit Exceeded 429 Too Many Requests Service unavailable
26 API Rate Limited Rate limit exceeded Throttled requests
27 Gateway Timeout 504 Gateway Timeout Request failures

🧪 Testing & Validation

image 
cat rules/cre-2025-0163/test.log | preq -r rules/cre-2025-0163/supabase-comprehensive-failures.yaml -d

🎬 Demo Environment

Screencast.from.2025-09-01.14-57-08.mp4

Demo Repository: https://github.com/piyzard/cre-2025-0163-supabase-failures

./start.sh

📚 References

@algora-pbc algora-pbc bot mentioned this pull request Sep 1, 2025
Closed
@piyzard piyzard changed the title cre CRE-2025-0163: Supabase Self-Hosted Critical Failures - Comprehensive Detection Sep 1, 2025
tonymeehan
tonymeehan reviewed Sep 3, 2025
View reviewed changes
rules/cre-2025-0163/supabase-comprehensive-failures.yaml
- "https://supabase.com/docs/guides/self-hosting/docker#troubleshooting"
- "https://github.com/supabase/supabase/discussions"
- "https://supabase.com/docs/guides/platform/performance"
scores:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tonymeehan troubleshooting docs for reference,
should i change it ?

@piyzard piyzard requested a review from tonymeehan September 3, 2025 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonymeehan tonymeehan Awaiting requested review from tonymeehan

Assignees
No one assigned
Labels
🙋 Bounty claim
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Supabase (self-hosted): Reproduce High-Severity Failures from the Troubleshooting Guide & Write a CRE Rule [Submit by September 3 11:59 pm ET]
2 participants
@piyzard @tonymeehan