g14wxz/storage-path-validation
Prevents directory traversal in Supabase Storage via path validation functions and storage RLS.
97
Quality
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Passed
No known issues
index.mddocs/
Storage Path Validation
Prevents directory traversal in Supabase Storage via path validation functions and storage RLS.
Overview
This tile enforces tenant-isolated file storage by creating a Postgres validation function (storage.validate_path) and attaching RLS policies to storage.objects. Every file operation is scoped to the authenticated user's tenant prefix, blocking traversal attacks at the database level.
Reference
Path Validation Function
storage.validate_path(path text, expected_tenant_id uuid) RETURNS boolean- Rejects paths with
..,./, or//. - Rejects paths not prefixed by
expected_tenant_id. - Declared as
SECURITY DEFINERwithsearch_path = storage, public.
Required RLS Policies per Private Bucket
| Operation | Condition |
|---|---|
| INSERT | storage.validate_path(name, auth.uid()) = true |
| SELECT | starts_with(name, auth.uid()::text || '/') |
| DELETE | starts_with(name, auth.uid()::text || '/') |
Bucket Path Convention
All paths MUST follow: {tenant_id}/{category}/{filename}
Dependencies
- supabase-mcp-verification -- root prerequisite; MCP connectivity MUST be verified first.
- Supabase
storageschema MUST be enabled on the target project.
Composition Position
- Stage: storage-security
- Priority: HIGH
- Executes after database schema tiles and before any application-layer storage integration.
- MUST run before tiles that upload files or generate signed URLs.