diff --git a/CHANGELOG.md b/CHANGELOG.md index 58c66e5..4a982f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file. ## [1.34.0] - Use system TLS root certificates to support self-hosted GitLab instances with internal CAs - Added new rule: Coze personal access token +- Updated Supabase rule to detect project url's and validate their corresponding tokens ## [1.33.0] - Fixed header precedence so custom HTTP validation headers like `Accept` are preserved diff --git a/data/rules/supabase.yml b/data/rules/supabase.yml index 6cb4abb..c93c648 100644 --- a/data/rules/supabase.yml +++ b/data/rules/supabase.yml @@ -1,5 +1,5 @@ rules: - - name: Supabase API Key + - name: Supabase Management Token id: kingfisher.supabase.1 pattern: | (?xi) @@ -27,4 +27,54 @@ rules: - report_response: true - type: StatusMatch status: - - 200 \ No newline at end of file + - 200 + - name: Supabase Project API Key + id: kingfisher.supabase.2 + pattern: | + (?xi) + \b + ( + sb_secret_[a-z0-9_-]{31} + ) + \b + min_entropy: 4.0 + confidence: high + validation: + type: Http + content: + request: + method: GET + url: "{{SBPROJECTURL}}/rest/v1/?select=*" + headers: + Apikey: "{{TOKEN}}" + User-Agent: "" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: + - '"host":' + references: + - https://supabase.com/docs/reference/api/v1-get-an-organization + examples: + - "sb_secret_9uM4GhB0STF5R4K3HxQtlg_bzWW6DRj" + - "sb_secret_szE_jsbktD3pWgnfUjgahw_hcHEIOBH" + depends_on_rule: + - rule_id: "kingfisher.supabase.3" + variable: SBPROJECTURL + - name: Supabase Project URL + id: kingfisher.supabase.3 + pattern: + (?xi) + ( + https:\/\/[a-z0-9]{16,32}\.supabase\.co + ) + confidence: medium + min_entropy: 3.0 + visible: false + validation: + references: + - https://supabase.com/docs/guides/api + examples: + - "https://ejcvydfyxzmbtfbfstnq.supabase.co"