supabase-audit-functions

What this skill does

# Edge Functions Audit

> 🔴 **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED**
>
> You MUST write to context files **AS YOU GO**, not just at the end.
> - Write to `.sb-pentest-context.json` **IMMEDIATELY after each function tested**
> - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each function test**
> - **DO NOT** wait until the skill completes to update files
> - If the skill crashes or is interrupted, all prior findings must already be saved
>
> **This is not optional. Failure to write progressively is a critical error.**

This skill discovers and tests Supabase Edge Functions for security issues.

## When to Use This Skill

- To discover exposed Edge Functions
- To test function authentication requirements
- To check for input validation issues
- As part of comprehensive security audit

## Prerequisites

- Supabase URL available
- Detection completed

## Understanding Edge Functions

Supabase Edge Functions are Deno-based serverless functions:

```
https://[project].supabase.co/functions/v1/[function-name]
```

| Security Aspect | Consideration |
|-----------------|---------------|
| Authentication | Functions can require JWT or be public |
| CORS | Cross-origin access control |
| Input Validation | User input handling |
| Secrets | Environment variable exposure |

## Tests Performed

| Test | Purpose |
|------|---------|
| Function discovery | Find exposed functions |
| Auth requirements | Check if JWT required |
| Input validation | Test for injection |
| Error handling | Check for information disclosure |

## Usage

### Basic Function Audit

```
Audit Edge Functions on my Supabase project
```

### Test Specific Function

```
Test the process-payment Edge Function for security issues
```

## Output Format

```
═══════════════════════════════════════════════════════════
 EDGE FUNCTIONS AUDIT
═══════════════════════════════════════════════════════════

 Project: abc123def.supabase.co
 Endpoint: https://abc123def.supabase.co/functions/v1/

 ─────────────────────────────────────────────────────────
 Function Discovery
 ─────────────────────────────────────────────────────────

 Discovery Method: Common name enumeration + client code analysis

 Functions Found: 5

 ─────────────────────────────────────────────────────────
 1. hello-world
 ─────────────────────────────────────────────────────────

 Endpoint: /functions/v1/hello-world
 Method: GET, POST

 Authentication Test:
 ├── Without JWT: ✅ 200 OK
 └── Status: ℹ️ Public function (no auth required)

 Response:
 ```json
 {"message": "Hello, World!"}
 ```

 Assessment: ✅ APPROPRIATE
 Simple public endpoint, no sensitive operations.

 ─────────────────────────────────────────────────────────
 2. process-payment
 ─────────────────────────────────────────────────────────

 Endpoint: /functions/v1/process-payment
 Method: POST

 Authentication Test:
 ├── Without JWT: ❌ 401 Unauthorized
 ├── With valid JWT: ✅ 200 OK
 └── Status: ✅ Authentication required

 Input Validation Test:
 ├── Missing amount: ❌ 400 Bad Request (good)
 ├── Negative amount: ❌ 400 Bad Request (good)
 ├── String amount: ❌ 400 Bad Request (good)
 └── Valid input: ✅ 200 OK

 Error Response Test:
 ├── Error format: Generic message (good)
 └── Stack trace: ❌ Not exposed (good)

 Assessment: ✅ PROPERLY SECURED
 Requires auth, validates input, safe error handling.

 ─────────────────────────────────────────────────────────
 3. get-user-data
 ─────────────────────────────────────────────────────────

 Endpoint: /functions/v1/get-user-data
 Method: GET

 Authentication Test:
 ├── Without JWT: ❌ 401 Unauthorized
 └── Status: ✅ Authentication required

 Authorization Test:
 ├── Request own data: ✅ 200 OK
 ├── Request other user's data: ✅ 200 OK ← 🔴 P0!
 └── Status: 🔴 BROKEN ACCESS CONTROL

 Test:
 ```bash
 # As user A, request user B's data
 curl https://abc123def.supabase.co/functions/v1/get-user-data?user_id=user-b-id \
   -H "Authorization: Bearer [user-a-token]"

 # Returns user B's data!
 ```

 Finding: 🔴 P0 - IDOR VULNERABILITY
 Function accepts user_id parameter without verifying
 that the authenticated user is requesting their own data.

 Fix:
 ```typescript
 // In Edge Function
 const { user_id } = await req.json();
 const jwt_user = getUser(req); // From JWT

 // Verify ownership
 if (user_id !== jwt_user.id) {
   return new Response('Forbidden', { status: 403 });
 }
 ```

 ─────────────────────────────────────────────────────────
 4. admin-panel
 ─────────────────────────────────────────────────────────

 Endpoint: /functions/v1/admin-panel
 Method: GET, POST

 Authentication Test:
 ├── Without JWT: ❌ 401 Unauthorized
 ├── With regular user JWT: ✅ 200 OK ← 🔴 P0!
 └── Status: 🔴 MISSING ROLE CHECK

 Finding: 🔴 P0 - PRIVILEGE ESCALATION
 Admin function accessible to any authenticated user.
 No role verification in function code.

 Fix:
 ```typescript
 // Verify admin role
 const user = getUser(req);
 const { data: profile } = await supabase
   .from('profiles')
   .select('is_admin')
   .eq('id', user.id)
   .single();

 if (!profile?.is_admin) {
   return new Response('Forbidden', { status: 403 });
 }
 ```

 ─────────────────────────────────────────────────────────
 5. webhook-handler
 ─────────────────────────────────────────────────────────

 Endpoint: /functions/v1/webhook-handler
 Method: POST

 Authentication Test:
 ├── Without JWT: ✅ 200 OK (expected for webhooks)
 └── Status: ℹ️ Public (webhook endpoints are typically public)

 Webhook Security Test:
 ├── Signature validation: ⚠️ Unable to test (need valid signature)
 └── Rate limiting: Unknown

 Error Response Test:
 ```json
 {
   "error": "Invalid signature",
   "expected": "sha256=abc123...",
   "received": "sha256=xyz789..."
 }
 ```

 Finding: 🟠 P1 - INFORMATION DISCLOSURE
 Error response reveals expected signature format.
 Could help attacker understand validation mechanism.

 Fix:
 ```typescript
 // Generic error, log details server-side
 if (!validSignature) {
   console.error(`Invalid signature: expected ${expected}, got ${received}`);
   return new Response('Unauthorized', { status: 401 });
 }
 ```

 ─────────────────────────────────────────────────────────
 Summary
 ─────────────────────────────────────────────────────────

 Functions Found: 5

 Security Assessment:
 ├── ✅ Secure: 2 (hello-world, process-payment)
 ├── 🔴 P0: 2 (get-user-data IDOR, admin-panel privilege escalation)
 └── 🟠 P1: 1 (webhook-handler info disclosure)

 Critical Findings:
 1. IDOR in get-user-data - any user can access any user's data
 2. Missing role check in admin-panel - any user is admin

 Priority Actions:
 1. Fix get-user-data to verify user owns requested data
 2. Add admin role verification to admin-panel
 3. Fix webhook-handler error messages

═══════════════════════════════════════════════════════════
```

## Common Function Vulnerabilities

| Vulnerability | Description | Severity |
|---------------|-------------|----------|
| No auth | Function accessible without JWT | P0-P2 |
| IDOR | User can access other users' data | P0 |
| Missing role check | Regular user accesses admin functions | P0 |
| Input injection | User input not validated | P0-P1 |
| Info disclosure | Errors reveal internal details | P1-P2 |
| CORS misconfigured | Accessible from unintended origins | P1-P2 |

## Function Discovery Methods

### 1. Client Code Analysis

```javascript
// Look for function invocations in client code
supabase.functions.invoke('function-name', {...})
fetch('/functions/v1/function-name', {...})
```

### 2. Common Name Enumeration

Tested function names:
- hello-world, hello, test
- process-payment, payment, checkout
- get-user-data, user, profile
- admin, admin-panel, dashboard
- webhook, webhook-handler, stripe-webhook
- send-email, notify, notification

### 3. Error Response Analysis

```
404 Not Found → Function doesn't exist
401 Unauthorized → Function exists, needs auth
200 OK → Function exists, accessible
```

## Context Output

```json
{
  "functions_audit": {
    "ti