@soulbatical/tetra-dev-toolkit 1.17.1 → 1.17.2

package/lib/checks/security/config-rls-alignment.js

@@ -281,32 +281,120 @@ function isWideOpen(using) {
 }
 
 /**
- * Forbidden patterns in RLS policies — these bypass RLS and defeat the purpose.
- * Valid patterns (from sparkbuddy-live):
- *   - organization_id IN (SELECT auth_admin_organizations())
- *   - user_id = auth.uid()
- *   - USING(true) for public tables only
- *   - Subquery to parent table with org/user check
+ * Whitelist-based RLS policy validation.
  *
- * Everything else that grants blanket access is a security hole.
+ * ONLY these building blocks are allowed in USING/WITH CHECK clauses.
+ * Derived from sparkbuddy-live (the reference implementation).
+ * Everything that doesn't match is rejected as unrecognized.
+ *
+ * To add a new pattern: add it here AND document why it's safe.
  */
-const FORBIDDEN_RLS_PATTERNS = [
-  { pattern: /service_role/i, label: 'service_role bypass' },
-  { pattern: /current_setting\s*\(\s*'role'/i, label: 'PostgreSQL role check bypass' },
-  { pattern: /current_setting\s*\(\s*'request\.jwt\.claims'/i, label: 'JWT claims role bypass' },
-  { pattern: /session_user\s*=\s*'postgres'/i, label: 'session_user postgres bypass' },
-  { pattern: /current_user\s*=\s*'postgres'/i, label: 'current_user postgres bypass' },
-  { pattern: /auth\.role\s*\(\)\s*=\s*'service_role'/i, label: 'auth.role() service_role bypass' },
-  { pattern: /pg_has_role/i, label: 'pg_has_role bypass' },
+const ALLOWED_RLS_ATOMS = [
+  // Org isolation via helper functions
+  /auth_admin_organizations\s*\(\)/i,
+  /auth_user_organizations\s*\(\)/i,
+  /auth_org_id\s*\(\)/i,
+  /auth_current_user_id\s*\(\)/i,
+  // User isolation
+  /auth\.uid\s*\(\)/i,
+  // Column comparisons (org_id, user_id, etc.)
+  /organization_id/i,
+  /organizationid/i,
+  /active_organization_id/i,
+  /user_id/i,
+  /userid/i,
+  /owner_id/i,
+  /created_by/i,
+  /creator_id/i,
+  /shared_by/i,
+  /sparkbuddy_user_id/i,
+  /user_public_id/i,
+  // Boolean/status column checks (for public/active filtering)
+  /is_active/i,
+  /is_public/i,
+  /is_template/i,
+  /is_published/i,
+  /anonymous_access/i,
+  /allow_cross_org_usage/i,
+  /visibility_level/i,
+  /published_status/i,
+  /post_type/i,
+  /status/i,
+  /active/i,
+  /invitation_token/i,
+  /original_testimonial_id/i,
+  /expires_at/i,
+  /session_id/i,
+  // Subqueries to parent tables
+  /\bIN\s*\(\s*SELECT\b/i,
+  /\bEXISTS\s*\(\s*SELECT\b/i,
+  // Literals and operators
+  /true/i,
+  /false/i,
+  /null/i,
+  /now\s*\(\)/i,
+  /\bAND\b/i,
+  /\bOR\b/i,
+  /\bNOT\b/i,
+  /\bIS\b/i,
+  /\bANY\b/i,
+  /\bARRAY\b/i,
+  // Legacy JWT pattern (sparkbuddy initial schema)
+  /auth\.jwt\s*\(\)/i,
+  /app_metadata/i,
+  // current_setting for app context (NOT role/jwt.claims bypass)
+  /current_setting\s*\(\s*'app\./i,
 ]
 
 /**
- * Check if a USING/WITH CHECK clause contains forbidden bypass patterns
- * Returns array of { label } for each forbidden pattern found
+ * Patterns that are NEVER allowed in RLS policies, regardless of context.
+ * These bypass RLS and defeat the purpose of having policies at all.
  */
-function findForbiddenPatterns(clause) {
-  if (!clause) return []
-  return FORBIDDEN_RLS_PATTERNS.filter(({ pattern }) => pattern.test(clause)).map(({ label }) => label)
+const BANNED_RLS_PATTERNS = [
+  { pattern: /service_role/i, label: 'service_role bypass — service role already bypasses RLS at the Supabase layer' },
+  { pattern: /current_setting\s*\(\s*'role'\s*(?:,\s*true\s*)?\)/i, label: 'PostgreSQL role check — bypasses tenant isolation' },
+  { pattern: /current_setting\s*\(\s*'request\.jwt\.claims'/i, label: 'JWT claims role check — bypasses tenant isolation' },
+  { pattern: /session_user/i, label: 'session_user check — bypasses tenant isolation' },
+  { pattern: /current_user\s*=/i, label: 'current_user check — bypasses tenant isolation' },
+  { pattern: /auth\.role\s*\(\)/i, label: 'auth.role() check — bypasses tenant isolation' },
+  { pattern: /pg_has_role/i, label: 'pg_has_role — bypasses tenant isolation' },
+]
+
+/**
+ * Validate an RLS clause against the whitelist.
+ * Returns null if valid, or a description of what's wrong.
+ */
+function validateRlsClause(clause) {
+  if (!clause || !clause.trim()) return null
+
+  // First check for explicitly banned patterns
+  for (const { pattern, label } of BANNED_RLS_PATTERNS) {
+    if (pattern.test(clause)) return label
+  }
+
+  // Strip known-safe tokens and see if anything suspicious remains
+  let stripped = clause
+  // Remove string literals
+  stripped = stripped.replace(/'[^']*'/g, '')
+  // Remove numbers
+  stripped = stripped.replace(/\b\d+\b/g, '')
+  // Remove known-safe identifiers and functions
+  for (const atom of ALLOWED_RLS_ATOMS) {
+    stripped = stripped.replace(new RegExp(atom.source, 'gi'), '')
+  }
+  // Remove SQL syntax noise (parens, commas, operators, quotes, casts, aliases)
+  stripped = stripped.replace(/[(),"=<>!:.|{}\-\+\*\/\s]/g, '')
+  stripped = stripped.replace(/\b(AS|FROM|WHERE|SELECT|JOIN|ON|LIMIT|uuid|text|boolean|integer|jsonb|json|public|ARRAY|FOR)\b/gi, '')
+  // Remove table/column qualifiers that look like identifiers (lowercase + underscore)
+  stripped = stripped.replace(/\b[a-z_][a-z0-9_]*\b/gi, '')
+  stripped = stripped.trim()
+
+  // If anything substantial remains, it's an unrecognized pattern
+  if (stripped.length > 0) {
+    return `Unrecognized RLS clause content: "${clause.substring(0, 120)}". Only whitelisted patterns are allowed.`
+  }
+
+  return null
 }
 
 export async function run(config, projectRoot) {
@@ -475,24 +563,24 @@ export async function run(config, projectRoot) {
       }
     }
 
-    // CHECK 4b: No forbidden bypass patterns in any policy clause
+    // CHECK 4b: All policy clauses must match whitelisted patterns only
     for (const p of policies) {
-      const usingViolations = findForbiddenPatterns(p.using)
-      const checkViolations = findForbiddenPatterns(p.withCheck)
-      const allViolations = [...new Set([...usingViolations, ...checkViolations])]
-
-      if (allViolations.length > 0) {
-        results.passed = false
-        results.findings.push({
-          file: p.file,
-          line: 1,
-          type: 'rls-bypass-pattern',
-          severity: 'critical',
-          message: `Policy "${p.name}" on table "${tableName}" contains forbidden bypass pattern(s): ${allViolations.join(', ')}. RLS policies must ONLY use auth.uid(), auth_admin_organizations(), or parent-table subqueries. Service role bypasses RLS automatically — adding it to policies defeats the purpose.`,
-          fix: `Remove the bypass clause. Valid patterns: USING (organization_id IN (SELECT auth_admin_organizations())) or USING (user_id = auth.uid()).`
-        })
-        results.summary.critical++
-        results.summary.total++
+      for (const [clauseType, clause] of [['USING', p.using], ['WITH CHECK', p.withCheck]]) {
+        if (!clause) continue
+        const violation = validateRlsClause(clause)
+        if (violation) {
+          results.passed = false
+          results.findings.push({
+            file: p.file,
+            line: 1,
+            type: 'rls-invalid-clause',
+            severity: 'critical',
+            message: `Policy "${p.name}" on table "${tableName}" has invalid ${clauseType} clause: ${violation}`,
+            fix: `Only whitelisted patterns are allowed. Valid: auth_admin_organizations(), auth.uid(), org/user column checks, parent-table subqueries, boolean column filters. See ALLOWED_RLS_ATOMS in config-rls-alignment.js.`
+          })
+          results.summary.critical++
+          results.summary.total++
+        }
       }
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.17.1",
+  "version": "1.17.2",
   "publishConfig": {
     "access": "restricted"
   },