Supabase数据库连接字符串检测工具 - 防止PostgreSQL凭据泄露的安全审计技能

supabase-extract-db-string by yoanbernabeu/supabase-pentest-skills

99 周安装量

33 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-extract-db-string

自动化数据库安全

🇨🇳中文介绍

数据库连接字符串检测

🔴 关键：需要渐进式文件更新

你必须边执行边写入上下文文件，而不是等到最后才写。

每次发现后立即写入 .sb-pentest-context.json

每次操作前后记录到 .sb-pentest-audit.log

切勿等到技能执行完毕才更新文件

如果技能崩溃或被中断，所有之前的发现必须已经保存

这不是可选项。未能渐进式写入是关键性错误。

此技能用于检测 PostgreSQL 数据库连接字符串是否意外暴露在客户端代码中。

何时使用此技能

作为每次安全审计的一部分
在生产前审查代码时
当怀疑存在 Supabase 数据库访问时

先决条件

目标应用程序可访问
Supabase 检测已完成（如果需要会自动调用）

为何此检测至关重要

暴露的数据库连接字符串允许：

影响	描述

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

连接字符串模式

Supabase 数据库 URL

postgresql://postgres:[password]@db.[project-ref].supabase.co:5432/postgres

连接字符串组件

组件	示例	敏感度
主机	`db.abc123.supabase.co`	中等
端口	`5432`	低
数据库	`postgres`	低
用户名	`postgres`	中等
密码	`[your-password]`	🔴 关键

连接池连接 (Supavisor)

postgresql://postgres.[project-ref]:[password]@aws-0-us-east-1.pooler.supabase.com:6543/postgres

1. 完整连接字符串

// ❌ 关键 - 完整连接字符串
const dbUrl = 'postgresql://postgres:MySecretPass123@db.abc123.supabase.co:5432/postgres'

2. 环境变量泄露

// ❌ 在客户端包中暴露
process.env.DATABASE_URL
process.env.POSTGRES_URL
process.env.SUPABASE_DB_URL

// ⚠️ 密码单独暴露
const DB_PASSWORD = 'MySecretPass123'
const DB_HOST = 'db.abc123.supabase.co'

// ❌ 客户端代码中的数据库配置
const prisma = new PrismaClient({
  datasources: {
    db: {
      url: 'postgresql://postgres:pass@db.abc123.supabase.co:5432/postgres'
    }
  }
})

Check for database connection strings on https://myapp.example.com

Deep scan for DB credentials on https://myapp.example.com

未发现连接字符串（良好）

═══════════════════════════════════════════════════════════
 数据库连接字符串检查
═══════════════════════════════════════════════════════════

 状态: ✅ 未检测到数据库连接字符串

 扫描内容:
 ├── JavaScript 包: 分析了 5 个文件
 ├── PostgreSQL 模式: 未发现
 ├── 连接字符串: 未发现
 └── 密码模式: 未发现

 结果: 通过 - 未暴露直接数据库凭据
═══════════════════════════════════════════════════════════

发现连接字符串（关键）

═══════════════════════════════════════════════════════════
 🔴 关键：数据库连接字符串暴露
═══════════════════════════════════════════════════════════

 严重性: P0 - 关键
 状态: ❌ 在客户端代码中发现 PostgreSQL 连接字符串！

 ⚠️  需要立即采取行动 ⚠️

 连接字符串:
 postgresql://postgres:MySecr***@db.abc123def.supabase.co:5432/postgres
 (显示时密码部分已打码，完整值在上下文文件中)

 解析出的组件:
 ├── 主机: db.abc123def.supabase.co
 ├── 端口: 5432
 ├── 数据库: postgres
 ├── 用户名: postgres
 └── 密码: [已暴露] ← 关键

 位置:
 └── /static/js/api.chunk.js (第 234 行)
     const DATABASE_URL = 'postgresql://postgres:...'

 影响评估:
 ├── 🔴 可直接访问 PostgreSQL
 ├── 🔴 所有 RLS 策略被绕过
 ├── 🔴 可访问 auth.users 表
 ├── 🔴 可修改数据库模式
 └── 🔴 可能发生完全数据泄露

 ═══════════════════════════════════════════════════════════
 立即修复步骤
 ═══════════════════════════════════════════════════════════

 1. 立即更改数据库密码
    → Supabase 仪表板 > 设置 > 数据库 > 重置数据库密码

 2. 从客户端代码中移除
    → 从源代码中删除连接字符串
    → 确保 DATABASE_URL 不在 NEXT_PUBLIC_* 或 VITE_* 环境变量中
    → 重新部署应用程序

 3. 审计滥用情况
    → 检查 Supabase 日志中的直接 PostgreSQL 连接
    → 审查是否存在未经授权的数据访问或修改

 4. 使用正确的架构
    → 客户端应仅使用 Supabase 客户端库 (REST API)
    → 直接数据库访问应仅来自：
      - Edge Functions
      - 服务器端代码
      - 迁移工具

 文档:
 → https://supabase.com/docs/guides/database/connecting-to-postgres
 → https://supabase.com/docs/guides/functions

═══════════════════════════════════════════════════════════

{
  "findings": [
    {
      "id": "DB_CONNECTION_STRING_EXPOSED",
      "severity": "P0",
      "title": "PostgreSQL 连接字符串暴露",
      "description": "在客户端代码中发现包含密码的数据库连接字符串",
      "location": {
        "file": "/static/js/api.chunk.js",
        "line": 234
      },
      "evidence": {
        "host": "db.abc123def.supabase.co",
        "port": 5432,
        "database": "postgres",
        "username": "postgres",
        "password_exposed": true
      },
      "remediation": {
        "immediate": "在 Supabase 仪表板中重置数据库密码",
        "long_term": "将数据库操作移至 Edge Functions",
        "docs": "https://supabase.com/docs/guides/database/connecting-to-postgres"
      }
    }
  ],
  "supabase": {
    "db_string_exposed": true,
    "db_host": "db.abc123def.supabase.co"
  }
}

即使是部分暴露也值得关注：

═══════════════════════════════════════════════════════════
 ⚠️ 发现部分数据库凭据
═══════════════════════════════════════════════════════════

 严重性: P1 - 高

 发现:
 ├── 数据库主机: db.abc123def.supabase.co (第 45 行)
 ├── 数据库密码: [16 个字符的字符串] (第 89 行)
 └── 可能被组合起来用于访问

 建议:
 → 作为预防措施，轮换数据库密码
 → 从客户端代码中移除所有与数据库相关的值
═══════════════════════════════════════════════════════════

原因	解决方案
错误的环境变量前缀	切勿使用 `NEXT_PUBLIC_DATABASE_URL`
客户端中的 SSR 代码	确保仅限服务器的代码保留在服务器端
打包器配置错误	检查 webpack/vite 配置是否存在环境变量暴露
复制粘贴错误	仔细检查提交的内容

错误做法（客户端直接连接数据库）

// ❌ 切勿出现在客户端代码中
import { Pool } from 'pg'
const pool = new Pool({
  connectionString: process.env.DATABASE_URL  // ❌
})

正确做法（API 或 Edge Function）

// ✅ 客户端使用 Supabase 客户端
const { data } = await supabase
  .from('products')
  .select('*')

// 或者调用 Edge Function 处理复杂查询
const { data } = await supabase.functions.invoke('complex-query')

Edge Function（服务器端）

// supabase/functions/complex-query/index.ts
import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // ✅ 仅在服务器端进行直接数据库访问
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL'),
    Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')
  )

  // 无法通过 REST 完成的复杂查询
  const { data } = await supabase.rpc('complex_function')
  return new Response(JSON.stringify(data))
})

强制要求：渐进式上下文文件更新

⚠️ 此技能必须在执行过程中渐进式更新跟踪文件，而不是仅在最后更新。

关键规则：边执行边写入

切勿在最后批量写入所有内容。而是：

开始任何操作之前 → 将操作记录到 .sb-pentest-audit.log
每次发现后 → 立即更新 .sb-pentest-context.json
每个重要步骤完成后 → 将完成情况记录到 .sb-pentest-audit.log

这确保了如果技能被中断、崩溃或超时，所有到该点为止的发现都会被保留。

必需的操作（渐进式）

更新 .sb-pentest-context.json 以包含发现：

{ "supabase": { "db_string_exposed": true/false, "db_host": "db.[ref].supabase.co" }, "findings": [ { "id": "DB_CONNECTION_STRING_EXPOSED", "severity": "P0", ... } ] }
记录到 .sb-pentest-audit.log：

[TIMESTAMP] [supabase-extract-db-string] [START] Checking for DB connection strings [TIMESTAMP] [supabase-extract-db-string] [CRITICAL] Connection string EXPOSED [TIMESTAMP] [supabase-extract-db-string] [CONTEXT_UPDATED] .sb-pentest-context.json updated
如果文件不存在，在写入前创建它们。

未能更新上下文文件是不可接受的。

强制要求：证据收集

📁 证据目录: .sb-pentest-evidence/02-extraction/db-string-exposure/

需要创建的证据文件（如果发现数据库字符串）

文件	内容
`db-string-exposure/connection-details.json`	解析后的连接字符串（密码已打码）
`db-string-exposure/location.txt`	文件路径和行号

证据格式（P0 发现）

{
  "evidence_id": "EXT-DB-001",
  "timestamp": "2025-01-31T10:12:00Z",
  "category": "extraction",
  "type": "db_connection_string",
  "severity": "P0",
  "finding_id": "P0-002",

  "connection_string": {
    "pattern": "postgresql://postgres:[REDACTED]@db.abc123def.supabase.co:5432/postgres",
    "host": "db.abc123def.supabase.co",
    "port": 5432,
    "database": "postgres",
    "username": "postgres",
    "password_exposed": true,
    "password_length": 24
  },

  "location": {
    "file": "/static/js/api.chunk.js",
    "line": 234,
    "context": "const DATABASE_URL = 'postgresql://postgres:...' // [REDACTED]"
  },

  "impact": {
    "direct_db_access": true,
    "rls_bypass": true,
    "schema_access": true,
    "auth_users_access": true
  },

  "remediation": {
    "immediate": "在 Supabase 仪表板中重置数据库密码",
    "remove_from_code": "从客户端代码中删除 DATABASE_URL",
    "verify_env_vars": "确保未使用 NEXT_PUBLIC_DATABASE_URL 或类似变量"
  }
}

添加到 timeline.md（P0）

## [TIMESTAMP] - 🔴 P0 关键：数据库连接字符串暴露
- 在客户端代码中发现包含密码的 PostgreSQL 连接字符串
- 位置: [file]:[line]
- 影响: 直接数据库访问，完全绕过 RLS
- 证据: `02-extraction/db-string-exposure/`
- **需要立即轮换密码**

supabase-extract-service-key — 检查服务密钥暴露
supabase-audit-tables-read — 通过 API 测试数据访问
supabase-report — 生成综合报告

🇺🇸English

Database Connection String Detection

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO , not just at the end.

Write to .sb-pentest-context.json IMMEDIATELY after each discovery

Log to .sb-pentest-audit.log BEFORE and AFTER each action

DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill detects if PostgreSQL database connection strings are accidentally exposed in client-side code.

When to Use This Skill

As part of every security audit
When reviewing code before production
When Supabase database access is suspected

Prerequisites

Target application accessible
Supabase detection completed (auto-invokes if needed)

Why This Is Critical

Exposed database connection strings allow:

Impact	Description
🔴 Direct DB Access	Bypass API, connect directly to PostgreSQL
🔴 Full Data Access	Read/write all data without RLS
🔴 Schema Access	View and modify database structure
🔴 User Enumeration	Access auth.users table directly

This is a P0 (Critical) finding requiring immediate action.

Connection String Patterns

Supabase Database URL

postgresql://postgres:[password]@db.[project-ref].supabase.co:5432/postgres

Connection String Components

Component	Example	Sensitivity
Host	`db.abc123.supabase.co`	Medium
Port	`5432`	Low
Database	`postgres`	Low
Username	`postgres`	Medium
Password	`[your-password]`	🔴 Critical

Pooler Connection (Supavisor)

postgresql://postgres.[project-ref]:[password]@aws-0-us-east-1.pooler.supabase.com:6543/postgres

Detection Patterns

1. Full Connection Strings

// ❌ CRITICAL - Full connection string
const dbUrl = 'postgresql://postgres:MySecretPass123@db.abc123.supabase.co:5432/postgres'

2. Environment Variable Leaks

// ❌ Exposed in client bundle
process.env.DATABASE_URL
process.env.POSTGRES_URL
process.env.SUPABASE_DB_URL

3. Partial Exposure

// ⚠️ Password exposed separately
const DB_PASSWORD = 'MySecretPass123'
const DB_HOST = 'db.abc123.supabase.co'

4. ORM Configuration

// ❌ Database config in client code
const prisma = new PrismaClient({
  datasources: {
    db: {
      url: 'postgresql://postgres:pass@db.abc123.supabase.co:5432/postgres'
    }
  }
})

Usage

Basic Check

Check for database connection strings on https://myapp.example.com

Deep Scan

Deep scan for DB credentials on https://myapp.example.com

Output Format

No Connection String Found (Good)

═══════════════════════════════════════════════════════════
 DATABASE CONNECTION STRING CHECK
═══════════════════════════════════════════════════════════

 Status: ✅ No database connection strings detected

 Scanned:
 ├── JavaScript bundles: 5 files analyzed
 ├── PostgreSQL patterns: None found
 ├── Connection strings: None found
 └── Password patterns: None found

 Result: PASS - No direct database credentials exposed
═══════════════════════════════════════════════════════════

Connection String FOUND (Critical)

═══════════════════════════════════════════════════════════
 🔴 CRITICAL: DATABASE CONNECTION STRING EXPOSED
═══════════════════════════════════════════════════════════

 Severity: P0 - CRITICAL
 Status: ❌ PostgreSQL connection string found in client code!

 ⚠️  IMMEDIATE ACTION REQUIRED ⚠️

 Connection String:
 postgresql://postgres:MySecr***@db.abc123def.supabase.co:5432/postgres
 (Password partially redacted in display, full value in context file)

 Parsed Components:
 ├── Host: db.abc123def.supabase.co
 ├── Port: 5432
 ├── Database: postgres
 ├── Username: postgres
 └── Password: [EXPOSED] ← CRITICAL

 Location:
 └── /static/js/api.chunk.js (line 234)
     const DATABASE_URL = 'postgresql://postgres:...'

 Impact Assessment:
 ├── 🔴 Direct PostgreSQL access possible
 ├── 🔴 All RLS policies bypassed
 ├── 🔴 Can access auth.users table
 ├── 🔴 Can modify database schema
 └── 🔴 Full data exfiltration possible

 ═══════════════════════════════════════════════════════════
 IMMEDIATE REMEDIATION STEPS
 ═══════════════════════════════════════════════════════════

 1. CHANGE DATABASE PASSWORD NOW
    → Supabase Dashboard > Settings > Database > Reset database password

 2. REMOVE FROM CLIENT CODE
    → Delete connection string from source code
    → Ensure DATABASE_URL is not in NEXT_PUBLIC_* or VITE_* env vars
    → Redeploy application

 3. AUDIT FOR ABUSE
    → Check Supabase logs for direct PostgreSQL connections
    → Review for unauthorized data access or modifications

 4. USE PROPER ARCHITECTURE
    → Client should ONLY use Supabase client library (REST API)
    → Direct DB access should ONLY be from:
      - Edge Functions
      - Server-side code
      - Migration tools

 Documentation:
 → https://supabase.com/docs/guides/database/connecting-to-postgres
 → https://supabase.com/docs/guides/functions

═══════════════════════════════════════════════════════════

Context Output

{
  "findings": [
    {
      "id": "DB_CONNECTION_STRING_EXPOSED",
      "severity": "P0",
      "title": "PostgreSQL Connection String Exposed",
      "description": "Database connection string with password found in client-side code",
      "location": {
        "file": "/static/js/api.chunk.js",
        "line": 234
      },
      "evidence": {
        "host": "db.abc123def.supabase.co",
        "port": 5432,
        "database": "postgres",
        "username": "postgres",
        "password_exposed": true
      },
      "remediation": {
        "immediate": "Reset database password in Supabase Dashboard",
        "long_term": "Move DB operations to Edge Functions",
        "docs": "https://supabase.com/docs/guides/database/connecting-to-postgres"
      }
    }
  ],
  "supabase": {
    "db_string_exposed": true,
    "db_host": "db.abc123def.supabase.co"
  }
}

Partial Exposure

Even partial exposure is concerning:

═══════════════════════════════════════════════════════════
 ⚠️ PARTIAL DATABASE CREDENTIALS FOUND
═══════════════════════════════════════════════════════════

 Severity: P1 - High

 Found:
 ├── Database host: db.abc123def.supabase.co (line 45)
 ├── Database password: [16 char string] (line 89)
 └── Could potentially be combined for access

 Recommendation:
 → Rotate database password as precaution
 → Remove all DB-related values from client code
═══════════════════════════════════════════════════════════

Common Causes

Cause	Solution
Wrong env prefix	Never use `NEXT_PUBLIC_DATABASE_URL`
SSR code in client	Ensure server-only code stays server-side
Bundler misconfiguration	Review webpack/vite config for env exposure
Copy-paste error	Double-check what you're committing

Architecture Guidance

Wrong (Direct DB in Client)

// ❌ NEVER in client code
import { Pool } from 'pg'
const pool = new Pool({
  connectionString: process.env.DATABASE_URL  // ❌
})

Correct (API or Edge Function)

// ✅ Client uses Supabase client
const { data } = await supabase
  .from('products')
  .select('*')

// OR call an Edge Function for complex queries
const { data } = await supabase.functions.invoke('complex-query')

Edge Function (Server-Side)

// supabase/functions/complex-query/index.ts
import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // ✅ Direct DB access only on server
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL'),
    Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')
  )

  // Complex query that can't be done via REST
  const { data } = await supabase.rpc('complex_function')
  return new Response(JSON.stringify(data))
})

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

Before starting any action → Log the action to .sb-pentest-audit.log
After each discovery → Immediately update .sb-pentest-context.json
After each significant step → Log completion to .sb-pentest-audit.log

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Update.sb-pentest-context.json with findings:

{ "supabase": { "db_string_exposed": true/false, "db_host": "db.[ref].supabase.co" }, "findings": [ { "id": "DB_CONNECTION_STRING_EXPOSED", "severity": "P0", ... } ] }
Log to.sb-pentest-audit.log:

[TIMESTAMP] [supabase-extract-db-string] [START] Checking for DB connection strings [TIMESTAMP] [supabase-extract-db-string] [CRITICAL] Connection string EXPOSED [TIMESTAMP] [supabase-extract-db-string] [CONTEXT_UPDATED] .sb-pentest-context.json updated
If files don't exist , create them before writing.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory: .sb-pentest-evidence/02-extraction/db-string-exposure/

Evidence Files to Create (if DB string found)

File	Content
`db-string-exposure/connection-details.json`	Parsed connection string (password redacted)
`db-string-exposure/location.txt`	File path and line number

Evidence Format (P0 Finding)

{
  "evidence_id": "EXT-DB-001",
  "timestamp": "2025-01-31T10:12:00Z",
  "category": "extraction",
  "type": "db_connection_string",
  "severity": "P0",
  "finding_id": "P0-002",

  "connection_string": {
    "pattern": "postgresql://postgres:[REDACTED]@db.abc123def.supabase.co:5432/postgres",
    "host": "db.abc123def.supabase.co",
    "port": 5432,
    "database": "postgres",
    "username": "postgres",
    "password_exposed": true,
    "password_length": 24
  },

  "location": {
    "file": "/static/js/api.chunk.js",
    "line": 234,
    "context": "const DATABASE_URL = 'postgresql://postgres:...' // [REDACTED]"
  },

  "impact": {
    "direct_db_access": true,
    "rls_bypass": true,
    "schema_access": true,
    "auth_users_access": true
  },

  "remediation": {
    "immediate": "Reset database password in Supabase Dashboard",
    "remove_from_code": "Delete DATABASE_URL from client code",
    "verify_env_vars": "Ensure not using NEXT_PUBLIC_DATABASE_URL or similar"
  }
}

Add to timeline.md (P0)

## [TIMESTAMP] - 🔴 P0 CRITICAL: Database Connection String Exposed
- PostgreSQL connection string with password found in client code
- Location: [file]:[line]
- Impact: Direct database access, full RLS bypass
- Evidence: `02-extraction/db-string-exposure/`
- **IMMEDIATE PASSWORD ROTATION REQUIRED**

Related Skills

supabase-extract-service-key — Check for service key exposure
supabase-audit-tables-read — Test data access via API
supabase-report — Generate comprehensive report

Weekly Installs

Repository

yoanbernabeu/su…t-skills

GitHub Stars

First Seen

Jan 31, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

claude-code73

codex63

opencode61

gemini-cli58

github-copilot52

cursor52

通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南

44,900 周安装

🔴 直接数据库访问	绕过 API，直接连接到 PostgreSQL
🔴 完全数据访问	无需 RLS 即可读写所有数据
🔴 模式访问	查看和修改数据库结构
🔴 用户枚举	直接访问 auth.users 表