Skip to content

fix(db): harden transfer_app against app id enumeration#1680

Merged
riderx merged 1 commit intomainfrom
riderx/fix-transfer-enum
Feb 25, 2026
Merged

fix(db): harden transfer_app against app id enumeration#1680
riderx merged 1 commit intomainfrom
riderx/fix-transfer-enum

Conversation

@riderx
Copy link
Member

@riderx riderx commented Feb 24, 2026

Summary (AI generated)

  • Removed anonymous access to public.transfer_app via REVOKE ALL ... FROM anon in a new migration.
  • Updated transfer_app to return a uniform error message for non-existent apps and unauthorized requests when called without valid user context.
  • Kept transfer permission checks and cooldown logic intact while adding explicit unauthenticated call logging.
  • Ran SQL lint on the updated migration file to satisfy repo formatting and SQL style checks.

Motivation (AI generated)

transfer_app was previously callable by the anonymous/publiable role, allowing unauthenticated callers to infer valid app_id values from distinct error payloads. This is a confidentiality/tenant-enumeration risk.

Business Impact (AI generated)

  • Prevents anonymous app-identifier enumeration that can aid targeted abuse or reconnaissance.
  • Preserves existing transfer safeguards while reducing information disclosure risk.
  • Keeps behavior for authenticated workflows unchanged where applicable.

Test Plan (AI generated)

  • bunx sqlfluff lint --dialect postgres supabase/migrations/20260224120000_fix_transfer_app_security.sql
  • Deploy migration to a staging Supabase instance and confirm anon rest/v1/rpc/transfer_app requests cannot transfer or enumerate app IDs.
  • Confirm authenticated transfer path still functions for authorized users with valid app/org permissions.

Generated with AI

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 24, 2026
edited
Loading

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 54 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 5cb5da2 and 9a414d1.

📒 Files selected for processing (1)
  • supabase/migrations/20260224120000_fix_transfer_app_security.sql
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch riderx/fix-transfer-enum

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc784596f8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

supabase/migrations/20260224120000_fix_transfer_app_security.sql
Comment on lines +3 to +6
REVOKE ALL ON FUNCTION public.transfer_app(
p_app_id character varying,
p_new_org_id uuid
) FROM anon;
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Revoke transfer_app from PUBLIC to block anonymous execution

This migration only revokes transfer_app from anon, but PostgreSQL function privileges are also inherited from the PUBLIC pseudo-role; because this function was historically granted without a preceding REVOKE ... FROM PUBLIC (see existing grants in 20250530233128_base.sql), anonymous callers can still execute it via PUBLIC, so the intended RPC hardening is ineffective in production-like databases.

Useful? React with 👍 / 👎.

@riderx riderx force-pushed the riderx/fix-transfer-enum branch from d6c4024 to 9a414d1 Compare February 25, 2026 05:51
@riderx riderx merged commit f79588c into main Feb 25, 2026
11 of 12 checks passed
@riderx riderx deleted the riderx/fix-transfer-enum branch February 25, 2026 05:54
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 25, 2026

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riderx