supabase-audit-buckets-list
53
总安装量
53
周安装量
#4037
全站排名
安装命令
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-list
Agent 安装分布
claude-code
46
codex
28
opencode
27
antigravity
21
cursor
20
Skill 文档
List Storage Buckets
ð´ CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
- Write to
.sb-pentest-context.jsonIMMEDIATELY after each bucket discovered- Log to
.sb-pentest-audit.logBEFORE and AFTER each operation- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill discovers all storage buckets configured in a Supabase project.
When to Use This Skill
- To inventory all storage buckets
- Before testing bucket access permissions
- To identify publicly accessible buckets
- As part of storage security audit
Prerequisites
- Supabase URL and anon key available
- Detection completed
Understanding Supabase Storage
Supabase Storage provides:
https://[project].supabase.co/storage/v1/
Buckets can be:
- Public: Files accessible without authentication
- Private: Files require authentication and RLS policies
Storage API Endpoints
| Endpoint | Purpose |
|---|---|
/storage/v1/bucket |
List buckets |
/storage/v1/object/list/[bucket] |
List files in bucket |
/storage/v1/object/[bucket]/[path] |
Access file |
/storage/v1/object/public/[bucket]/[path] |
Public file URL |
Usage
Basic Bucket List
List storage buckets on my Supabase project
With Configuration Details
List all buckets with their security settings
Output Format
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
STORAGE BUCKETS
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Project: abc123def.supabase.co
Buckets Found: 5
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Bucket Inventory
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
1. avatars
âââ Public: â
YES
âââ File Size Limit: 1MB
âââ Allowed MIME: image/jpeg, image/png, image/webp
âââ Files (estimated): 1,247
âââ Status: â¹ï¸ Expected public bucket
Public URLs pattern:
https://abc123def.supabase.co/storage/v1/object/public/avatars/[filename]
2. documents
âââ Public: â NO (Private)
âââ File Size Limit: 50MB
âââ Allowed MIME: application/pdf, application/msword, *
âââ Files (estimated): 523
âââ Status: â
Private, needs RLS verification
3. uploads
âââ Public: â
YES
âââ File Size Limit: 100MB
âââ Allowed MIME: */* (ANY)
âââ Files (estimated): 3,891
âââ Status: ð P1 - Public with unrestricted MIME types
Risk: Any file type can be uploaded and accessed
Recommendation: Restrict allowed MIME types
4. backups
âââ Public: â
YES â UNEXPECTED
âââ File Size Limit: 500MB
âââ Allowed MIME: */*
âââ Files (estimated): 45
âââ Status: ð´ P0 - Sensitive bucket is PUBLIC
Risk: Backup files publicly accessible!
Immediate Action: Change to private bucket
5. temp
âââ Public: â NO
âââ File Size Limit: 10MB
âââ Allowed MIME: */*
âââ Files (estimated): 12
âââ Status: â
Private temporary storage
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Summary
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Total Buckets: 5
Public Buckets: 3
âââ Expected Public: 1 (avatars)
âââ P1 Issues: 1 (uploads - unrestricted MIME)
âââ P0 Critical: 1 (backups - should be private)
Private Buckets: 2
âââ Need RLS verification with supabase-audit-buckets-read
Next Steps:
âââ Fix 'backups' bucket - make private immediately
âââ Restrict MIME types on 'uploads' bucket
âââ Test RLS on private buckets
âââ Verify no sensitive files in public buckets
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Bucket Configuration Analysis
| Config | Good | Bad |
|---|---|---|
| public: false | â Private by default | â public: true for sensitive data |
| fileSizeLimit | â Appropriate limits | â No limit or very large |
| allowedMimeTypes | â Restricted list | â */* allows anything |
Context Output
{
"storage": {
"buckets": [
{
"name": "avatars",
"public": true,
"file_size_limit": 1048576,
"allowed_mime_types": ["image/jpeg", "image/png", "image/webp"],
"estimated_files": 1247,
"risk_level": "info",
"expected_public": true
},
{
"name": "backups",
"public": true,
"file_size_limit": 524288000,
"allowed_mime_types": ["*/*"],
"estimated_files": 45,
"risk_level": "P0",
"finding": "Sensitive bucket publicly accessible"
}
],
"summary": {
"total": 5,
"public": 3,
"private": 2,
"p0_issues": 1,
"p1_issues": 1
}
}
}
Security Recommendations
For Public Buckets
-- Create restrictive RLS policy even for public buckets
CREATE POLICY "Public read avatars"
ON storage.objects FOR SELECT
USING (bucket_id = 'avatars');
CREATE POLICY "Users upload own avatar"
ON storage.objects FOR INSERT
WITH CHECK (
bucket_id = 'avatars'
AND auth.uid()::text = (storage.foldername(name))[1]
);
For Private Buckets
-- Only owners can access their files
CREATE POLICY "Users access own documents"
ON storage.objects FOR ALL
USING (
bucket_id = 'documents'
AND auth.uid()::text = (storage.foldername(name))[1]
);
Fix Public Backup Bucket
-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';
-- Add strict RLS
CREATE POLICY "Only admins access backups"
ON storage.objects FOR ALL
USING (
bucket_id = 'backups'
AND (SELECT is_admin FROM profiles WHERE id = auth.uid())
);
Common Issues
â Problem: Cannot list buckets â Solution: Storage API may be restricted. This is actually good security. Note as “unable to enumerate.”
â Problem: Many buckets found â Solution: Large applications may have many. Focus on public buckets first.
â Problem: Bucket count doesn’t match expected â Solution: Some buckets may be created dynamically. Check application code.
MANDATORY: Progressive Context File Updates
â ï¸ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
Critical Rule: Write As You Go
DO NOT batch all writes at the end. Instead:
- Before starting bucket enumeration â Log the action to
.sb-pentest-audit.log - After each bucket discovered â Immediately update
.sb-pentest-context.json - After each configuration analyzed â Log the result
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
Required Actions (Progressive)
-
Update
.sb-pentest-context.jsonwith results:{ "storage": { "buckets": [ ... ], "summary": { "total": 5, "public": 3, "private": 2 } } } -
Log to
.sb-pentest-audit.log:[TIMESTAMP] [supabase-audit-buckets-list] [START] Listing storage buckets [TIMESTAMP] [supabase-audit-buckets-list] [SUCCESS] Found 5 buckets [TIMESTAMP] [supabase-audit-buckets-list] [CONTEXT_UPDATED] .sb-pentest-context.json updated -
If files don’t exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
MANDATORY: Evidence Collection
ð Evidence Directory: .sb-pentest-evidence/04-storage-audit/
Evidence Files to Create
| File | Content |
|---|---|
buckets-config.json |
All bucket configurations |
buckets/[name]/file-list.json |
File listing per bucket |
Evidence Format
{
"evidence_id": "STG-LIST-001",
"timestamp": "2025-01-31T10:35:00Z",
"category": "storage-audit",
"type": "bucket_enumeration",
"request": {
"method": "GET",
"url": "https://abc123def.supabase.co/storage/v1/bucket",
"curl_command": "curl -s '$URL/storage/v1/bucket' -H 'apikey: $ANON_KEY' -H 'Authorization: Bearer $ANON_KEY'"
},
"buckets": [
{
"name": "avatars",
"public": true,
"file_size_limit": 1048576,
"allowed_mime_types": ["image/jpeg", "image/png"],
"risk_level": "info",
"assessment": "Appropriate for public avatars"
},
{
"name": "backups",
"public": true,
"file_size_limit": 524288000,
"allowed_mime_types": ["*/*"],
"risk_level": "P0",
"assessment": "CRITICAL: Backup bucket should not be public"
}
],
"summary": {
"total_buckets": 5,
"public_buckets": 3,
"private_buckets": 2,
"critical_misconfigurations": 1
}
}
Add to curl-commands.sh
# === STORAGE BUCKET ENUMERATION ===
# List all buckets
curl -s "$SUPABASE_URL/storage/v1/bucket" \
-H "apikey: $ANON_KEY" \
-H "Authorization: Bearer $ANON_KEY"
# List files in specific bucket
curl -s "$SUPABASE_URL/storage/v1/object/list/backups" \
-H "apikey: $ANON_KEY" \
-H "Authorization: Bearer $ANON_KEY"
Related Skills
supabase-audit-buckets-readâ Attempt to read filessupabase-audit-buckets-publicâ Find misconfigured public bucketssupabase-audit-storage-rlsâ Test storage RLS policies