npm - supascan - Versions diffs - 0.1.4 → 0.2.0 - Mend

supascan 0.1.4 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

package/.bun-version +1 -0
package/.github/workflows/release-github.yml +70 -0
package/.github/workflows/release-npm.yml +45 -0
package/.github/workflows/tests.yml +36 -0
package/apps/cli/build.ts +37 -0
package/apps/cli/package.json +28 -0
package/apps/cli/src/commands/analyze.ts +213 -0
package/apps/cli/src/commands/dump.ts +68 -0
package/apps/cli/src/commands/rpc.ts +67 -0
package/apps/cli/src/context.ts +96 -0
package/apps/cli/src/embedded-report.ts +1 -0
package/apps/cli/src/formatters/console.ts +39 -0
package/apps/cli/src/formatters/events.ts +95 -0
package/apps/cli/src/index.ts +105 -0
package/apps/cli/src/types.ts +9 -0
package/apps/cli/src/utils/args.ts +46 -0
package/apps/cli/src/utils/browser.ts +29 -0
package/apps/cli/src/utils/files.ts +12 -0
package/apps/cli/src/version.ts +3 -0
package/apps/web/build.ts +68 -0
package/apps/web/dev.ts +5 -0
package/apps/web/index.html +75 -0
package/apps/web/package.json +22 -0
package/apps/web/src/App.tsx +129 -0
package/apps/web/src/components/QueryBuilder.tsx +174 -0
package/apps/web/src/components/QueryWindow.tsx +133 -0
package/apps/web/src/components/RPCExecutor.tsx +176 -0
package/apps/web/src/components/SchemaBrowser.tsx +269 -0
package/apps/web/src/components/SmartTable.tsx +129 -0
package/apps/web/src/components/TargetConfig.tsx +130 -0
package/apps/web/src/components/TargetSummary.tsx +105 -0
package/apps/web/src/hooks/useAnalysis.ts +54 -0
package/apps/web/src/hooks/useNotification.ts +28 -0
package/apps/web/src/hooks/useRPC.ts +53 -0
package/apps/web/src/hooks/useSupabase.ts +46 -0
package/apps/web/src/hooks/useTableQuery.ts +148 -0
package/apps/web/src/index.tsx +18 -0
package/apps/web/src/types.ts +16 -0
package/apps/web/src/utils/hash.ts +27 -0
package/context.test.ts +93 -0
package/package.json +29 -44
package/packages/core/package.json +21 -0
package/packages/core/src/analyzer.ts +212 -0
package/packages/core/src/extractor.ts +233 -0
package/packages/core/src/index.ts +9 -0
package/packages/core/src/supabase.ts +316 -0
package/packages/core/src/types/analyzer.types.ts +72 -0
package/packages/core/src/types/event.types.ts +4 -0
package/packages/core/src/types/events.types.ts +5 -0
package/packages/core/src/types/extractor.types.ts +54 -0
package/packages/core/src/types/result.types.ts +17 -0
package/packages/core/src/types/supabase.types.ts +98 -0
package/tsconfig.json +23 -0
package/turbo.json +19 -0
package/utils.test.ts +68 -0
package/version.ts +3 -0
package/dist/supascan.js +0 -206

package/.bun-version ADDED Viewed

	@@ -0,0 +1 @@
1	+ 1.3.2

package/.github/workflows/release-github.yml ADDED Viewed

@@ -0,0 +1,70 @@
+name: Create GitHub Release
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yml
+  release:
+    needs: tests
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version-file: ".bun-version"
+      - run: bun install --frozen-lockfile
+      - run: bun run build:binary
+      - name: Get version from package.json
+        id: pkg
+        run: echo "version=$(bun -e "console.log(require('./package.json').version)")" >> $GITHUB_OUTPUT
+      - name: Check if tag exists
+        id: tag-check
+        run: |
+          if git rev-parse "v${{ steps.pkg.outputs.version }}" >/dev/null 2>&1; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Create and push tag
+        if: steps.tag-check.outputs.exists == 'false'
+        run: |
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+          git tag v${{ steps.pkg.outputs.version }}
+          git push origin v${{ steps.pkg.outputs.version }}
+      - name: Check if release exists
+        id: release-check
+        run: |
+          if gh release view "v${{ steps.pkg.outputs.version }}" >/dev/null 2>&1; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Create GitHub Release
+        if: steps.release-check.outputs.exists == 'false'
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: v${{ steps.pkg.outputs.version }}
+          name: Release v${{ steps.pkg.outputs.version }}
+          generate_release_notes: true
+          files: |
+            dist/supascan

package/.github/workflows/release-npm.yml ADDED Viewed

@@ -0,0 +1,45 @@
+name: Publish to npm
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yml
+  publish:
+    needs: tests
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version-file: ".bun-version"
+      - run: bun install --frozen-lockfile
+      - run: bun run build:bundle
+      - name: Get version from package.json
+        id: pkg
+        run: echo "version=$(bun -e "console.log(require('./package.json').version)")" >> $GITHUB_OUTPUT
+      - name: Check if version exists on npm
+        id: npm-check
+        run: |
+          if npm view supascan@${{ steps.pkg.outputs.version }} version 2>/dev/null; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Publish to npm
+        if: steps.npm-check.outputs.exists == 'false'
+        run: bun publish --access public
+        env:
+          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/tests.yml ADDED Viewed

@@ -0,0 +1,36 @@
+name: Tests
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  workflow_call:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version-file: ".bun-version"
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+      - name: Lint
+        run: bun run lint
+      - name: Run tests
+        run: bun run test
+      - name: Build bundle
+        run: bun run build:bundle
+      - name: Build binary
+        run: bun run build:binary

package/apps/cli/build.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import { $ } from "bun";
+import { mkdir, readFile } from "fs/promises";
+console.log("Building CLI...");
+await $`tsc --noEmit`;
+console.log("Building web app for embedding...");
+await $`cd ../web && bun run build`;
+const webHtml = await readFile("../web/dist/index.html", "utf-8");
+await Bun.write(
+  "./src/embedded-report.ts",
+  `export const reportTemplate = ${JSON.stringify(webHtml)};`,
+);
+await mkdir("./dist", { recursive: true });
+const nodeBuild = await Bun.build({
+  entrypoints: ["./src/index.ts"],
+  outdir: "./dist",
+  minify: true,
+  target: "node",
+  banner: "#!/usr/bin/env node",
+  naming: {
+    entry: "supascan.js",
+  },
+});
+if (!nodeBuild.success) {
+  console.error("Failed to bundle CLI");
+  for (const log of nodeBuild.logs) console.error(log);
+  process.exit(1);
+}
+console.log("✓ CLI built: dist/supascan.js");

package/apps/cli/package.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+  "name": "supascan",
+  "version": "0.2.0",
+  "type": "module",
+  "main": "./dist/supascan.js",
+  "bin": {
+    "supascan": "./dist/supascan.js"
+  },
+  "files": [
+    "dist/**"
+  ],
+  "scripts": {
+    "build": "bun run build.ts",
+    "dev": "bun run src/index.ts",
+    "lint": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@commander-js/extra-typings": "^14.0.0",
+    "@supabase/supabase-js": "^2.75.0",
+    "@supascan/core": "workspace:*",
+    "commander": "^14.0.1",
+    "picocolors": "^1.1.1"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "typescript": "^5.9.3"
+  }
+}

package/apps/cli/src/commands/analyze.ts ADDED Viewed

@@ -0,0 +1,213 @@
+import {
+  analyze,
+  type AnalysisResult,
+  type RPCParameter,
+} from "@supascan/core";
+import pc from "picocolors";
+import type { CLIContext } from "../context";
+import { log } from "../formatters/console";
+import { handleEvent } from "../formatters/events";
+export async function executeAnalyzeCommand(
+  ctx: CLIContext,
+  options: { schema?: string },
+): Promise<void> {
+  if (ctx.html) {
+    const { reportTemplate } = await import("../embedded-report");
+    const { generateTempFilePath, writeHtmlFile } = await import(
+      "../utils/files"
+    );
+    const { openInBrowser } = await import("../utils/browser");
+    const config = {
+      url: ctx.url,
+      key: ctx.key,
+      headers: ctx.headers,
+      autorun: true,
+    };
+    const encoded = Buffer.from(JSON.stringify(config)).toString("base64");
+    const filePath = generateTempFilePath();
+    const htmlContent = reportTemplate.replace(
+      "</head>",
+      `<script>window.__SUPASCAN_CONFIG__ = "${encoded}";</script></head>`,
+    );
+    writeHtmlFile(filePath, htmlContent);
+    openInBrowser(filePath);
+    log.success(`HTML report generated: ${filePath}`);
+    return;
+  }
+  const analysisGen = analyze(ctx.client, ctx.url, ctx.key, options);
+  let analysisResult;
+  while (true) {
+    const next = await analysisGen.next();
+    if (next.done) {
+      analysisResult = next.value;
+      break;
+    }
+    handleEvent(ctx, next.value);
+  }
+  if (!analysisResult || !analysisResult.success) {
+    log.error(
+      "Analysis failed",
+      analysisResult?.error.message ?? "Unknown error",
+    );
+    process.exit(1);
+  }
+  if (ctx.json) {
+    console.log(JSON.stringify(analysisResult.value, null, 2));
+  } else {
+    displayAnalysisResult(analysisResult.value);
+  }
+}
+function displayAnalysisResult(result: AnalysisResult): void {
+  console.log();
+  console.log(pc.bold(pc.cyan("=".repeat(60))));
+  console.log(pc.bold(pc.cyan("  SUPABASE DATABASE ANALYSIS")));
+  console.log(pc.bold(pc.cyan("=".repeat(60))));
+  console.log();
+  console.log(pc.bold(pc.yellow("TARGET SUMMARY")));
+  console.log(pc.dim("-".repeat(20)));
+  console.log(pc.bold("Domain:"), pc.white(result.summary.domain));
+  if (result.summary.metadata?.service) {
+    console.log(pc.bold("Service:"), pc.white(result.summary.metadata.service));
+  }
+  if (result.summary.metadata?.region) {
+    console.log(
+      pc.bold("Project ID:"),
+      pc.white(result.summary.metadata.region),
+    );
+  }
+  if (result.summary.metadata?.title) {
+    console.log(pc.bold("Title:"), pc.white(result.summary.metadata.title));
+  }
+  if (result.summary.metadata?.version) {
+    console.log(pc.bold("Version:"), pc.white(result.summary.metadata.version));
+  }
+  if (result.summary.jwtInfo) {
+    console.log();
+    console.log(pc.bold(pc.yellow("JWT TOKEN INFO")));
+    console.log(pc.dim("-".repeat(20)));
+    if (result.summary.jwtInfo.iss) {
+      console.log(pc.bold("Issuer:"), pc.white(result.summary.jwtInfo.iss));
+    }
+    if (result.summary.jwtInfo.aud) {
+      console.log(pc.bold("Audience:"), pc.white(result.summary.jwtInfo.aud));
+    }
+    if (result.summary.jwtInfo.role) {
+      console.log(pc.bold("Role:"), pc.white(result.summary.jwtInfo.role));
+    }
+    if (result.summary.jwtInfo.exp) {
+      const expDate = new Date(result.summary.jwtInfo.exp * 1000);
+      console.log(pc.bold("Expires:"), pc.white(expDate.toISOString()));
+    }
+    if (result.summary.jwtInfo.iat) {
+      const iatDate = new Date(result.summary.jwtInfo.iat * 1000);
+      console.log(pc.bold("Issued:"), pc.white(iatDate.toISOString()));
+    }
+  }
+  console.log();
+  console.log(pc.bold(pc.cyan("DATABASE ANALYSIS")));
+  console.log(pc.dim("-".repeat(20)));
+  console.log(
+    pc.bold("Schemas discovered:"),
+    pc.green(result.schemas.length.toString()),
+  );
+  console.log();
+  Object.entries(result.schemaDetails).forEach(([schema, analysis]) => {
+    console.log(pc.bold(pc.cyan(`Schema: ${schema}`)));
+    console.log();
+    const exposedCount = Object.values(analysis.tableAccess).filter(
+      (a) => a.status === "readable",
+    ).length;
+    const deniedCount = Object.values(analysis.tableAccess).filter(
+      (a) => a.status === "denied",
+    ).length;
+    const emptyCount = Object.values(analysis.tableAccess).filter(
+      (a) => a.status === "empty",
+    ).length;
+    console.log(
+      pc.bold("Tables:"),
+      pc.green(analysis.tables.length.toString()),
+    );
+    console.log(
+      pc.dim(
+        `  ${exposedCount} exposed | ${emptyCount} empty/protected | ${deniedCount} denied`,
+      ),
+    );
+    console.log();
+    if (analysis.tables.length > 0) {
+      analysis.tables.forEach((table) => {
+        const access = analysis.tableAccess[table];
+        let indicator = "";
+        let description = "";
+        switch (access?.status) {
+          case "readable":
+            indicator = pc.green("[+]");
+            description = pc.dim(`(~${access.rowCount ?? "?"} rows exposed)`);
+            break;
+          case "empty":
+            indicator = pc.yellow("[-]");
+            description = pc.dim("(0 rows - empty or RLS)");
+            break;
+          case "denied":
+            indicator = pc.red("[X]");
+            description = pc.dim("(access denied)");
+            break;
+        }
+        console.log(`  ${indicator} ${pc.white(table)} ${description}`);
+      });
+    } else {
+      console.log(pc.dim("  No tables found"));
+    }
+    console.log();
+    console.log(pc.bold("RPCs:"), pc.green(analysis.rpcs.length.toString()));
+    if (analysis.rpcFunctions.length > 0) {
+      analysis.rpcFunctions.forEach((rpc) => {
+        console.log(`  * ${pc.white(rpc.name)}`);
+        if (rpc.parameters.length > 0) {
+          rpc.parameters.forEach((param: RPCParameter) => {
+            const required = param.required
+              ? pc.red("(required)")
+              : pc.dim("(optional)");
+            const type = param.format
+              ? `${param.type} (${param.format})`
+              : param.type;
+            console.log(
+              `    - ${pc.cyan(param.name)}: ${pc.yellow(type)} ${required}`,
+            );
+          });
+        } else {
+          console.log(pc.dim("    No parameters"));
+        }
+      });
+    } else {
+      console.log(pc.dim("  No RPCs found"));
+    }
+    console.log();
+  });
+  console.log(pc.bold(pc.cyan("=".repeat(60))));
+  console.log();
+}

package/apps/cli/src/commands/dump.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import { dumpTable } from "@supascan/core";
+import type { CLIContext } from "../context";
+import { log } from "../formatters/console";
+export async function executeDumpCommand(
+  ctx: CLIContext,
+  options: { dump: string; limit: string },
+): Promise<void> {
+  const parts = options.dump.split(".");
+  if (parts.length === 1) {
+    const schema = parts[0];
+    if (!schema) {
+      log.error("Invalid dump format. Use schema.table or schema");
+      process.exit(1);
+    }
+    log.info(`Dumping swagger for schema: ${schema}`);
+    const { data, error } = await ctx.client.schema(schema).from("").select();
+    if (error) {
+      log.error("Failed to fetch swagger", error.message);
+      process.exit(1);
+    }
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+  if (parts.length === 2) {
+    const schema = parts[0];
+    const table = parts[1];
+    if (!schema || !table) {
+      log.error("Invalid dump format. Use schema.table");
+      process.exit(1);
+    }
+    const limit = parseInt(options.limit);
+    if (isNaN(limit) || limit <= 0) {
+      log.error("Invalid limit value");
+      process.exit(1);
+    }
+    log.info(`Dumping table: ${schema}.${table} (limit: ${limit})`);
+    const result = await dumpTable(ctx.client, schema, table, limit);
+    if (!result.success) {
+      log.error("Failed to dump table", result.error.message);
+      process.exit(1);
+    }
+    if (ctx.json) {
+      console.log(JSON.stringify(result.value, null, 2));
+    } else {
+      console.log(
+        `\nTable: ${schema}.${table} (${result.value.count} total rows, showing ${result.value.rows.length})\n`,
+      );
+      console.table(result.value.rows);
+    }
+    return;
+  }
+  log.error("Invalid dump format. Use schema.table or schema");
+  process.exit(1);
+}

package/apps/cli/src/commands/rpc.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import { callRPC } from "@supascan/core";
+import type { CLIContext } from "../context";
+import { log } from "../formatters/console";
+import { parseRPCArgs } from "../utils/args";
+export async function executeRPCCommand(
+  ctx: CLIContext,
+  options: {
+    rpc: string;
+    args?: string;
+    limit: string;
+    explain?: boolean;
+  },
+): Promise<void> {
+  const parts = options.rpc.split(".");
+  if (parts.length !== 2) {
+    log.error("Invalid RPC format. Use schema.rpc_name");
+    process.exit(1);
+  }
+  const schema = parts[0];
+  const rpcName = parts[1];
+  if (!schema || !rpcName) {
+    log.error("Invalid RPC format. Use schema.rpc_name");
+    process.exit(1);
+  }
+  const parsedArgs = options.args ? parseRPCArgs(options.args) : {};
+  const limit = parseInt(options.limit);
+  if (isNaN(limit) || limit <= 0) {
+    log.error("Invalid limit value");
+    process.exit(1);
+  }
+  log.info(`Calling RPC: ${schema}.${rpcName}`);
+  if (Object.keys(parsedArgs).length > 0) {
+    log.info("Arguments:", JSON.stringify(parsedArgs));
+  }
+  const result = await callRPC(ctx.client, schema, rpcName, parsedArgs, {
+    limit,
+    explain: options.explain,
+  });
+  if (!result.success) {
+    log.error("RPC call failed", result.error.message);
+    process.exit(1);
+  }
+  if (ctx.json) {
+    console.log(JSON.stringify(result.value, null, 2));
+  } else if (options.explain) {
+    console.log("\nQuery Execution Plan:\n");
+    console.log(result.value);
+  } else {
+    console.log("\nRPC Result:\n");
+    if (Array.isArray(result.value)) {
+      console.table(result.value);
+    } else {
+      console.log(JSON.stringify(result.value, null, 2));
+    }
+  }
+}

package/apps/cli/src/context.ts ADDED Viewed

@@ -0,0 +1,96 @@
+import { createClient, type SupabaseClient } from "@supabase/supabase-js";
+import { extractFromUrl } from "@supascan/core";
+import { log } from "./formatters/console";
+import { parseHeaders } from "./utils/args";
+export type CLIContext = {
+  debug: boolean;
+  json: boolean;
+  html: boolean;
+  suppressExperimentalWarnings: boolean;
+  url: string;
+  key: string;
+  headers?: Record<string, string>;
+  client: SupabaseClient;
+};
+export async function createCLIContext(options: {
+  url?: string;
+  key?: string;
+  extract?: string;
+  debug?: boolean;
+  json?: boolean;
+  html?: boolean;
+  suppressExperimentalWarnings?: boolean;
+  header?: string[];
+}): Promise<CLIContext> {
+  let url = options.url;
+  let key = options.key;
+  if (options.extract) {
+    const extractGen = extractFromUrl(options.extract);
+    let extractResult;
+    while (true) {
+      const next = await extractGen.next();
+      if (next.done) {
+        extractResult = next.value;
+        break;
+      }
+      if (options.debug) {
+        const event = next.value;
+        if (event.type === "content_fetched") {
+          console.error(
+            `[DEBUG] Fetched ${event.data.size} bytes (${event.data.contentType})`,
+          );
+        } else if (event.type === "script_checking") {
+          console.error(`[DEBUG] Checking script: ${event.data.scriptUrl}`);
+        }
+      }
+    }
+    if (!extractResult || !extractResult.success) {
+      throw new Error(
+        `Failed to extract credentials: ${extractResult?.error.message ?? "Unknown error"}`,
+      );
+    }
+    url = extractResult.value.url;
+    key = extractResult.value.key;
+    if (extractResult.value.source) {
+      log.success(`Extracted credentials from: ${extractResult.value.source}`);
+    } else {
+      log.success("Extracted credentials from target");
+    }
+    if (options.debug) {
+      console.error(`[DEBUG] URL: ${url}`);
+      console.error(`[DEBUG] Key: ${key?.substring(0, 20)}...`);
+    }
+  }
+  if (!url || !key) {
+    throw new Error("Either provide --url and --key, or use --extract <url>");
+  }
+  const headers =
+    options.header && options.header.length > 0
+      ? parseHeaders(options.header)
+      : undefined;
+  const clientOptions = headers ? { global: { headers } } : undefined;
+  const client = createClient(url, key, clientOptions);
+  return {
+    debug: options.debug || false,
+    json: options.json || false,
+    html: options.html || false,
+    suppressExperimentalWarnings: options.suppressExperimentalWarnings || false,
+    url,
+    key,
+    headers,
+    client,
+  };
+}