g14wxz/storage-path-validation
Prevents directory traversal in Supabase Storage via path validation functions and storage RLS.
97
Quality
97%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Securityby
Passed
No known issues
Storage Path Validation
Prevents directory traversal in Supabase Storage via path validation functions and storage RLS.
Overview
This tile enforces tenant-isolated file storage by creating a Postgres validation function (storage.validate_path) and attaching RLS policies to storage.objects. Every file operation is scoped to the authenticated user's tenant prefix, blocking traversal attacks at the database level.
Reference
Path Validation Function
storage.validate_path(path text, expected_tenant_id uuid) RETURNS boolean- Rejects paths with
..,./, or//. - Rejects paths not prefixed by
expected_tenant_id. - Declared as
SECURITY DEFINERwithsearch_path = storage, public.
Required RLS Policies per Private Bucket
| Operation | Condition |
|---|---|
| INSERT | storage.validate_path(name, auth.uid()) = true |
| SELECT | starts_with(name, auth.uid()::text || '/') |
| DELETE | starts_with(name, auth.uid()::text || '/') |
Bucket Path Convention
All paths MUST follow: {tenant_id}/{category}/{filename}
Dependencies
- supabase-mcp-verification -- root prerequisite; MCP connectivity MUST be verified first.
- Supabase
storageschema MUST be enabled on the target project.
Composition Position
- Stage: storage-security
- Priority: HIGH
- Executes after database schema tiles and before any application-layer storage integration.
- MUST run before tiles that upload files or generate signed URLs.
- Workspace
- g14wxz
- Visibility
- Public
- Created
- Last updated
- Publish Source
- CLI
- Badge
