CRE-2025-0163: Supabase Self-Hosted Critical Failures - Comprehensive Detection

rules/cre-2025-0163/supabase-comprehensive-failures.yaml

@@ -0,0 +1,95 @@
+rules:
+- cre:
+    id: CRE-2025-0163
+    severity: 0
+    title: Supabase self-hosted deployment critical failures - comprehensive detection
+    category: baas-problem
+    tags: [supabase, supabase-auth, supabase-db, supabase-storage, supabase-realtime, supabase-api, postgres, container-port-conflict, jwt-validation, rate-limiting, ssl-certificate, disk-full, sql-migration, s3, timeout, misconfiguration]
+    author: prequel-dev/cre
+    description: |
+      Comprehensive detection of high-severity Supabase self-hosted deployment failures including:
+      - PostgreSQL container port binding conflicts preventing database startup
+      - Missing or invalid JWT secrets breaking authentication
+      - Database connection timeouts causing service degradation
+      - S3 storage misconfigurations blocking file operations
+      - Realtime service configuration errors preventing websocket connections
+      - SQL migration syntax failures corrupting database schema
+      - Auth service port conflicts and API rate limiting
+      - Critical infrastructure failures: disk space exhaustion and SSL certificate issues
+
+      These failures can render entire Supabase deployments non-functional and require immediate attention.
+    cause: |
+      Multiple potential failure modes in Supabase self-hosted environments:
+
+      Infrastructure Issues:
+      - Port 5432 (PostgreSQL) or 9999 (Auth) already bound by other processes
+      - Disk space exhaustion during migrations or operations
+      - SSL certificates expired, invalid, or missing
+
+      Configuration Problems:
+      - Missing or invalid JWT_SECRET environment variable
+      - Incorrect S3 credentials or bucket configuration
+      - Database connection string misconfigurations
+      - Invalid websocket or realtime service settings
+
+      Application-Level Failures:
+      - SQL syntax errors in migration files
+      - Database connection pool exhaustion
+      - API rate limits exceeded during peak usage
+      - TLS handshake failures due to certificate issues
+    impact: |
+      Complete service unavailability and critical system failures:
+      - Supabase services unable to start due to port conflicts
+      - Authentication system completely broken, blocking all user access
+      - Database operations failing with timeouts and connection errors
+      - File upload/download completely non-functional
+      - Real-time features (subscriptions, presence) unavailable
+      - API requests failing with 429, 500, or SSL errors
+      - Database schema deployment failures causing data corruption
+      - Security vulnerabilities from insecure connections
+      - Potential data loss from incomplete operations
+      - Business operations completely halted
+    mitigation: |
+      Immediate Response Actions:
+      1. Port Conflicts: Check `lsof -i :5432` and `lsof -i :9999`, stop conflicting services
+      2. JWT Secrets: Generate secure secret with `openssl rand -base64 64`
+      3. Database: Monitor connections with `SELECT count(*) FROM pg_stat_activity;`
+      4. Storage: Verify S3 credentials and bucket access with AWS CLI
+      5. SSL: Renew certificates and verify chain with `openssl verify`
+      6. Disk Space: Check `df -h`, clean up with `docker system prune -a`
+      7. Migrations: Test SQL syntax in development before applying
+      8. Rate Limits: Implement exponential backoff and request throttling
+
+      Long-term Prevention:
+      - Set up monitoring and alerting for all critical components
+      - Implement automated certificate renewal
+      - Configure log rotation and disk space monitoring
+      - Use infrastructure as code for consistent deployments
+      - Establish proper testing pipelines for migrations
+    applications:
+      - name: supabase
+        version: ">= 0.1.0"
+      - name: postgresql
+        version: ">= 13.0"
+      - name: docker
+        version: ">= 20.10.0"
+      - name: gotrue
+        version: ">= 2.0.0"
+    references:
+      - "https://supabase.com/docs/guides/self-hosting/docker#troubleshooting"
+      - "https://github.com/supabase/supabase/discussions"
+      - "https://supabase.com/docs/guides/platform/performance"
+    scores:
+      cvss: "9.1"
+      cvss_severity: "CRITICAL"
+      cwe: "CWE-665"
+  metadata:
+    kind: prequel
+    id: G5stYEGyQoDEGGaCbZLKdT
+    gen: 1
+  rule:
+    set:
+      event:
+        source: cre.log.supabase
+      match:
+        - regex: '.*(Error: listen EADDRINUSE.*:(5432|9999)|bind: address already in use|port.*already allocated|JWT_SECRET.*not set|invalid.*jwt.*secret|JWT secret.*too short|connection.*timeout|could not connect.*database|timeout expired|S3.*AccessDenied|InvalidAccessKeyId|NoSuchBucket|Realtime.*failed to start|websocket.*connection.*refused|ERROR.*syntax error.*at or near|migration.*failed.*invalid.*SQL|relation.*does not exist|429.*Too Many Requests|Rate limit exceeded|No space left on device|SSL.*certificate.*expired|certificate verify failed|TLS.*handshake.*failed).*'

rules/cre-2025-0163/test.log

@@ -0,0 +1,32 @@
+# PostgreSQL Port Conflicts
+2025-08-31T10:15:23.456Z ERROR: listen EADDRINUSE: address already in use :::5432
+2025-08-31T10:15:25.789Z ERROR: docker: Error response from daemon: bind: address already in use
+
+# JWT Secret Issues  
+2025-08-31T10:20:15.123Z ERROR: JWT_SECRET environment variable not set
+2025-08-31T10:20:17.789Z ERROR: JWT secret is too short, minimum 32 characters required
+
+# Database Connection Timeouts
+2025-08-31T10:25:10.123Z ERROR: connection timeout after 30000ms
+2025-08-31T10:25:12.789Z ERROR: timeout expired (PostgreSQL connection)
+
+# S3 Storage Misconfigurations
+2025-08-31T10:30:05.123Z ERROR: S3 operation failed: AccessDenied: Access Denied
+2025-08-31T10:30:06.456Z FATAL: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist
+
+# Realtime Service Errors
+2025-08-31T10:35:01.123Z ERROR: Realtime service failed to start: database connection invalid
+2025-08-31T10:35:02.456Z WARN: websocket connection refused on port 4000
+
+# SQL Migration Failures
+2025-08-31T10:40:01.123Z ERROR: syntax error at or near "CRATE" at character 1
+2025-08-31T10:40:03.789Z ERROR: relation "user_profiles" does not exist
+
+# API Rate Limiting
+2025-08-31T10:45:03.789Z WARN: 429 Too Many Requests: Rate limit exceeded for authentication
+2025-08-31T10:45:04.234Z ERROR: Rate limit exceeded for auth endpoint
+
+# Infrastructure Failures
+2025-08-31T10:50:01.123Z ERROR: write failed: No space left on device
+2025-08-31T10:50:03.789Z ERROR: SSL certificate expired: unable to get local issuer certificate
+2025-08-31T10:50:05.567Z ERROR: TLS handshake failed: certificate verification error

rules/tags/categories.yaml

@@ -244,6 +244,18 @@ categories:
     description: |
       Failures that prevent MongoDB from starting successfully due to corrupted metadata, invalid configurations,
       or unrecoverable internal errors (e.g., WiredTiger metadata corruption). These failures often require manual repair or backup restoration.
+  - name: baas-problem
+    displayName: Backend-as-a-Service Problems
+    description: Problems related to BaaS platforms like Supabase, Firebase, Appwrite, and similar services
+  - name: supabase-infrastructure-problem
+    displayName: Supabase Infrastructure Problems
+    description: Core infrastructure failures in Supabase deployments including container orchestration, networking, and service dependencies
+  - name: supabase-auth-problem
+    displayName: Supabase Authentication Problems
+    description: Authentication and JWT-related failures in Supabase that prevent user access or API functionality
+  - name: supabase-storage-problem
+    displayName: Supabase Storage Problems
+    description: Object storage failures and S3 compatibility issues affecting file upload, download, and management in Supabase
   - name: infinite-loop-problem
     displayName: Infinite Loop Problems
     description: |

rules/tags/tags.yaml

@@ -845,6 +845,36 @@ tags:
   - name: cluster-scaling
     displayName: Cluster Scaling
     description: Problems related to Kubernetes cluster scaling operations and capacity management
+  - name: supabase
+    displayName: Supabase
+    description: Problems related to Supabase Backend-as-a-Service platform
+  - name: supabase-auth
+    displayName: Supabase Auth
+    description: Authentication and authorization issues in Supabase
+  - name: supabase-db
+    displayName: Supabase Database
+    description: Database connectivity and query issues in Supabase
+  - name: supabase-storage
+    displayName: Supabase Storage
+    description: Object storage and file management issues in Supabase
+  - name: supabase-realtime
+    displayName: Supabase Realtime
+    description: Real-time subscription and websocket issues in Supabase
+  - name: supabase-api
+    displayName: Supabase API
+    description: REST API and auto-generated API issues in Supabase
+  - name: jwt-validation
+    displayName: JWT Validation
+    description: Problems with JSON Web Token validation and processing
+  - name: rls-policy
+    displayName: RLS Policy
+    description: Row Level Security policy failures and misconfigurations
+  - name: container-port-conflict
+    displayName: Container Port Conflict
+    description: Port binding conflicts in containerized environments
+  - name: sql-migration
+    displayName: SQL Migration
+    description: Database migration and schema evolution problems
   - name: autogpt
     displayName: AutoGPT
     description: Problems related to AutoGPT autonomous AI agent framework