supabase-audit-buckets-list

List all storage buckets and their configuration to identify the storage attack surface.

yoanbernabeu 43 1 Updated 4mo ago

GitHub

Install

npx skillscat add yoanbernabeu/supabase-pentest-skills/supabase-audit-buckets-list

Install via the SkillsCat registry.

SKILL.md

List Storage Buckets

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.

Write to .sb-pentest-context.json IMMEDIATELY after each bucket discovered

Log to .sb-pentest-audit.log BEFORE and AFTER each operation

DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill discovers all storage buckets configured in a Supabase project.

When to Use This Skill

To inventory all storage buckets
Before testing bucket access permissions
To identify publicly accessible buckets
As part of storage security audit

Prerequisites

Supabase URL and anon key available
Detection completed

Understanding Supabase Storage

Supabase Storage provides:

https://[project].supabase.co/storage/v1/

Buckets can be:

Public: Files accessible without authentication
Private: Files require authentication and RLS policies

Storage API Endpoints

Endpoint	Purpose
`/storage/v1/bucket`	List buckets
`/storage/v1/object/list/[bucket]`	List files in bucket
`/storage/v1/object/[bucket]/[path]`	Access file
`/storage/v1/object/public/[bucket]/[path]`	Public file URL

Usage

Basic Bucket List

List storage buckets on my Supabase project

With Configuration Details

List all buckets with their security settings

Output Format

═══════════════════════════════════════════════════════════
 STORAGE BUCKETS
═══════════════════════════════════════════════════════════

 Project: abc123def.supabase.co
 Buckets Found: 5

 ─────────────────────────────────────────────────────────
 Bucket Inventory
 ─────────────────────────────────────────────────────────

 1. avatars
    ├── Public: ✅ YES
    ├── File Size Limit: 1MB
    ├── Allowed MIME: image/jpeg, image/png, image/webp
    ├── Files (estimated): 1,247
    └── Status: ℹ️ Expected public bucket

    Public URLs pattern:
    https://abc123def.supabase.co/storage/v1/object/public/avatars/[filename]

 2. documents
    ├── Public: ❌ NO (Private)
    ├── File Size Limit: 50MB
    ├── Allowed MIME: application/pdf, application/msword, *
    ├── Files (estimated): 523
    └── Status: ✅ Private, needs RLS verification

 3. uploads
    ├── Public: ✅ YES
    ├── File Size Limit: 100MB
    ├── Allowed MIME: */* (ANY)
    ├── Files (estimated): 3,891
    └── Status: 🟠 P1 - Public with unrestricted MIME types

    Risk: Any file type can be uploaded and accessed
    Recommendation: Restrict allowed MIME types

 4. backups
    ├── Public: ✅ YES ← UNEXPECTED
    ├── File Size Limit: 500MB
    ├── Allowed MIME: */*
    ├── Files (estimated): 45
    └── Status: 🔴 P0 - Sensitive bucket is PUBLIC

    Risk: Backup files publicly accessible!
    Immediate Action: Change to private bucket

 5. temp
    ├── Public: ❌ NO
    ├── File Size Limit: 10MB
    ├── Allowed MIME: */*
    ├── Files (estimated): 12
    └── Status: ✅ Private temporary storage

 ─────────────────────────────────────────────────────────
 Summary
 ─────────────────────────────────────────────────────────

 Total Buckets: 5
 Public Buckets: 3
   ├── Expected Public: 1 (avatars)
   ├── P1 Issues: 1 (uploads - unrestricted MIME)
   └── P0 Critical: 1 (backups - should be private)

 Private Buckets: 2
   └── Need RLS verification with supabase-audit-buckets-read

 Next Steps:
 ├── Fix 'backups' bucket - make private immediately
 ├── Restrict MIME types on 'uploads' bucket
 ├── Test RLS on private buckets
 └── Verify no sensitive files in public buckets

═══════════════════════════════════════════════════════════

Bucket Configuration Analysis

Config	Good	Bad
public: false	✅ Private by default	❌ public: true for sensitive data
fileSizeLimit	✅ Appropriate limits	❌ No limit or very large
allowedMimeTypes	✅ Restricted list	❌ `/` allows anything

Context Output

{
  "storage": {
    "buckets": [
      {
        "name": "avatars",
        "public": true,
        "file_size_limit": 1048576,
        "allowed_mime_types": ["image/jpeg", "image/png", "image/webp"],
        "estimated_files": 1247,
        "risk_level": "info",
        "expected_public": true
      },
      {
        "name": "backups",
        "public": true,
        "file_size_limit": 524288000,
        "allowed_mime_types": ["*/*"],
        "estimated_files": 45,
        "risk_level": "P0",
        "finding": "Sensitive bucket publicly accessible"
      }
    ],
    "summary": {
      "total": 5,
      "public": 3,
      "private": 2,
      "p0_issues": 1,
      "p1_issues": 1
    }
  }
}

Security Recommendations

For Public Buckets

-- Create restrictive RLS policy even for public buckets
CREATE POLICY "Public read avatars"
  ON storage.objects FOR SELECT
  USING (bucket_id = 'avatars');

CREATE POLICY "Users upload own avatar"
  ON storage.objects FOR INSERT
  WITH CHECK (
    bucket_id = 'avatars'
    AND auth.uid()::text = (storage.foldername(name))[1]
  );

For Private Buckets

-- Only owners can access their files
CREATE POLICY "Users access own documents"
  ON storage.objects FOR ALL
  USING (
    bucket_id = 'documents'
    AND auth.uid()::text = (storage.foldername(name))[1]
  );

Fix Public Backup Bucket

-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';

-- Add strict RLS
CREATE POLICY "Only admins access backups"
  ON storage.objects FOR ALL
  USING (
    bucket_id = 'backups'
    AND (SELECT is_admin FROM profiles WHERE id = auth.uid())
  );

Common Issues

❌ Problem: Cannot list buckets
✅ Solution: Storage API may be restricted. This is actually good security. Note as "unable to enumerate."

❌ Problem: Many buckets found
✅ Solution: Large applications may have many. Focus on public buckets first.

❌ Problem: Bucket count doesn't match expected
✅ Solution: Some buckets may be created dynamically. Check application code.

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

Before starting bucket enumeration → Log the action to .sb-pentest-audit.log
After each bucket discovered → Immediately update .sb-pentest-context.json
After each configuration analyzed → Log the result

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Update .sb-pentest-context.json with results:

{
  "storage": {
    "buckets": [ ... ],
    "summary": { "total": 5, "public": 3, "private": 2 }
  }
}

Log to .sb-pentest-audit.log:

[TIMESTAMP] [supabase-audit-buckets-list] [START] Listing storage buckets
[TIMESTAMP] [supabase-audit-buckets-list] [SUCCESS] Found 5 buckets
[TIMESTAMP] [supabase-audit-buckets-list] [CONTEXT_UPDATED] .sb-pentest-context.json updated

If files don't exist, create them before writing.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory: .sb-pentest-evidence/04-storage-audit/

Evidence Files to Create

File	Content
`buckets-config.json`	All bucket configurations
`buckets/[name]/file-list.json`	File listing per bucket

Evidence Format

{
  "evidence_id": "STG-LIST-001",
  "timestamp": "2025-01-31T10:35:00Z",
  "category": "storage-audit",
  "type": "bucket_enumeration",

  "request": {
    "method": "GET",
    "url": "https://abc123def.supabase.co/storage/v1/bucket",
    "curl_command": "curl -s '$URL/storage/v1/bucket' -H 'apikey: $ANON_KEY' -H 'Authorization: Bearer $ANON_KEY'"
  },

  "buckets": [
    {
      "name": "avatars",
      "public": true,
      "file_size_limit": 1048576,
      "allowed_mime_types": ["image/jpeg", "image/png"],
      "risk_level": "info",
      "assessment": "Appropriate for public avatars"
    },
    {
      "name": "backups",
      "public": true,
      "file_size_limit": 524288000,
      "allowed_mime_types": ["*/*"],
      "risk_level": "P0",
      "assessment": "CRITICAL: Backup bucket should not be public"
    }
  ],

  "summary": {
    "total_buckets": 5,
    "public_buckets": 3,
    "private_buckets": 2,
    "critical_misconfigurations": 1
  }
}

Add to curl-commands.sh

# === STORAGE BUCKET ENUMERATION ===
# List all buckets
curl -s "$SUPABASE_URL/storage/v1/bucket" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer $ANON_KEY"

# List files in specific bucket
curl -s "$SUPABASE_URL/storage/v1/object/list/backups" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer $ANON_KEY"

Related Skills

supabase-audit-buckets-read — Attempt to read files
supabase-audit-buckets-public — Find misconfigured public buckets
supabase-audit-storage-rls — Test storage RLS policies

supabase-audit-buckets-list

Install

List Storage Buckets

When to Use This Skill

Prerequisites

Understanding Supabase Storage

Storage API Endpoints

Usage

Basic Bucket List

With Configuration Details

Output Format

Bucket Configuration Analysis

Context Output

Security Recommendations

For Public Buckets

For Private Buckets

Fix Public Backup Bucket

Common Issues

MANDATORY: Progressive Context File Updates

Critical Rule: Write As You Go

Required Actions (Progressive)

MANDATORY: Evidence Collection

Evidence Files to Create

Evidence Format

Add to curl-commands.sh

Related Skills

Categories

Install

Recommended Skills