home / skills / yoanbernabeu / supabase-pentest-skills / supabase-audit-buckets-list

supabase-audit-buckets-list skill

safe

/skills/audit-storage/supabase-audit-buckets-list

This skill inventories all Supabase storage buckets and configurations, highlighting public exposure and RLS gaps to strengthen storage security.

npx playbooks add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-list

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

10.3 KB

---
name: supabase-audit-buckets-list
description: List all storage buckets and their configuration to identify the storage attack surface.
---

# List Storage Buckets

> 🔴 **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED**
>
> You MUST write to context files **AS YOU GO**, not just at the end.
> - Write to `.sb-pentest-context.json` **IMMEDIATELY after each bucket discovered**
> - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each operation**
> - **DO NOT** wait until the skill completes to update files
> - If the skill crashes or is interrupted, all prior findings must already be saved
>
> **This is not optional. Failure to write progressively is a critical error.**

This skill discovers all storage buckets configured in a Supabase project.

## When to Use This Skill

- To inventory all storage buckets
- Before testing bucket access permissions
- To identify publicly accessible buckets
- As part of storage security audit

## Prerequisites

- Supabase URL and anon key available
- Detection completed

## Understanding Supabase Storage

Supabase Storage provides:

```
https://[project].supabase.co/storage/v1/
```

Buckets can be:
- **Public**: Files accessible without authentication
- **Private**: Files require authentication and RLS policies

## Storage API Endpoints

| Endpoint | Purpose |
|----------|---------|
| `/storage/v1/bucket` | List buckets |
| `/storage/v1/object/list/[bucket]` | List files in bucket |
| `/storage/v1/object/[bucket]/[path]` | Access file |
| `/storage/v1/object/public/[bucket]/[path]` | Public file URL |

## Usage

### Basic Bucket List

```
List storage buckets on my Supabase project
```

### With Configuration Details

```
List all buckets with their security settings
```

## Output Format

```
═══════════════════════════════════════════════════════════
 STORAGE BUCKETS
═══════════════════════════════════════════════════════════

 Project: abc123def.supabase.co
 Buckets Found: 5

 ─────────────────────────────────────────────────────────
 Bucket Inventory
 ─────────────────────────────────────────────────────────

 1. avatars
    ├── Public: ✅ YES
    ├── File Size Limit: 1MB
    ├── Allowed MIME: image/jpeg, image/png, image/webp
    ├── Files (estimated): 1,247
    └── Status: ℹ️ Expected public bucket

    Public URLs pattern:
    https://abc123def.supabase.co/storage/v1/object/public/avatars/[filename]

 2. documents
    ├── Public: ❌ NO (Private)
    ├── File Size Limit: 50MB
    ├── Allowed MIME: application/pdf, application/msword, *
    ├── Files (estimated): 523
    └── Status: ✅ Private, needs RLS verification

 3. uploads
    ├── Public: ✅ YES
    ├── File Size Limit: 100MB
    ├── Allowed MIME: */* (ANY)
    ├── Files (estimated): 3,891
    └── Status: 🟠 P1 - Public with unrestricted MIME types

    Risk: Any file type can be uploaded and accessed
    Recommendation: Restrict allowed MIME types

 4. backups
    ├── Public: ✅ YES ← UNEXPECTED
    ├── File Size Limit: 500MB
    ├── Allowed MIME: */*
    ├── Files (estimated): 45
    └── Status: 🔴 P0 - Sensitive bucket is PUBLIC

    Risk: Backup files publicly accessible!
    Immediate Action: Change to private bucket

 5. temp
    ├── Public: ❌ NO
    ├── File Size Limit: 10MB
    ├── Allowed MIME: */*
    ├── Files (estimated): 12
    └── Status: ✅ Private temporary storage

 ─────────────────────────────────────────────────────────
 Summary
 ─────────────────────────────────────────────────────────

 Total Buckets: 5
 Public Buckets: 3
   ├── Expected Public: 1 (avatars)
   ├── P1 Issues: 1 (uploads - unrestricted MIME)
   └── P0 Critical: 1 (backups - should be private)

 Private Buckets: 2
   └── Need RLS verification with supabase-audit-buckets-read

 Next Steps:
 ├── Fix 'backups' bucket - make private immediately
 ├── Restrict MIME types on 'uploads' bucket
 ├── Test RLS on private buckets
 └── Verify no sensitive files in public buckets

═══════════════════════════════════════════════════════════
```

## Bucket Configuration Analysis

| Config | Good | Bad |
|--------|------|-----|
| public: false | ✅ Private by default | ❌ public: true for sensitive data |
| fileSizeLimit | ✅ Appropriate limits | ❌ No limit or very large |
| allowedMimeTypes | ✅ Restricted list | ❌ `*/*` allows anything |

## Context Output

```json
{
  "storage": {
    "buckets": [
      {
        "name": "avatars",
        "public": true,
        "file_size_limit": 1048576,
        "allowed_mime_types": ["image/jpeg", "image/png", "image/webp"],
        "estimated_files": 1247,
        "risk_level": "info",
        "expected_public": true
      },
      {
        "name": "backups",
        "public": true,
        "file_size_limit": 524288000,
        "allowed_mime_types": ["*/*"],
        "estimated_files": 45,
        "risk_level": "P0",
        "finding": "Sensitive bucket publicly accessible"
      }
    ],
    "summary": {
      "total": 5,
      "public": 3,
      "private": 2,
      "p0_issues": 1,
      "p1_issues": 1
    }
  }
}
```

## Security Recommendations

### For Public Buckets

```sql
-- Create restrictive RLS policy even for public buckets
CREATE POLICY "Public read avatars"
  ON storage.objects FOR SELECT
  USING (bucket_id = 'avatars');

CREATE POLICY "Users upload own avatar"
  ON storage.objects FOR INSERT
  WITH CHECK (
    bucket_id = 'avatars'
    AND auth.uid()::text = (storage.foldername(name))[1]
  );
```

### For Private Buckets

```sql
-- Only owners can access their files
CREATE POLICY "Users access own documents"
  ON storage.objects FOR ALL
  USING (
    bucket_id = 'documents'
    AND auth.uid()::text = (storage.foldername(name))[1]
  );
```

### Fix Public Backup Bucket

```sql
-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';

-- Add strict RLS
CREATE POLICY "Only admins access backups"
  ON storage.objects FOR ALL
  USING (
    bucket_id = 'backups'
    AND (SELECT is_admin FROM profiles WHERE id = auth.uid())
  );
```

## Common Issues

❌ **Problem:** Cannot list buckets
✅ **Solution:** Storage API may be restricted. This is actually good security. Note as "unable to enumerate."

❌ **Problem:** Many buckets found
✅ **Solution:** Large applications may have many. Focus on public buckets first.

❌ **Problem:** Bucket count doesn't match expected
✅ **Solution:** Some buckets may be created dynamically. Check application code.

## MANDATORY: Progressive Context File Updates

⚠️ **This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.**

### Critical Rule: Write As You Go

**DO NOT** batch all writes at the end. Instead:

1. **Before starting bucket enumeration** → Log the action to `.sb-pentest-audit.log`
2. **After each bucket discovered** → Immediately update `.sb-pentest-context.json`
3. **After each configuration analyzed** → Log the result

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

### Required Actions (Progressive)

1. **Update `.sb-pentest-context.json`** with results:
   ```json
   {
     "storage": {
       "buckets": [ ... ],
       "summary": { "total": 5, "public": 3, "private": 2 }
     }
   }
   ```

2. **Log to `.sb-pentest-audit.log`**:
   ```
   [TIMESTAMP] [supabase-audit-buckets-list] [START] Listing storage buckets
   [TIMESTAMP] [supabase-audit-buckets-list] [SUCCESS] Found 5 buckets
   [TIMESTAMP] [supabase-audit-buckets-list] [CONTEXT_UPDATED] .sb-pentest-context.json updated
   ```

3. **If files don't exist**, create them before writing.

**FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.**

## MANDATORY: Evidence Collection

📁 **Evidence Directory:** `.sb-pentest-evidence/04-storage-audit/`

### Evidence Files to Create

| File | Content |
|------|---------|
| `buckets-config.json` | All bucket configurations |
| `buckets/[name]/file-list.json` | File listing per bucket |

### Evidence Format

```json
{
  "evidence_id": "STG-LIST-001",
  "timestamp": "2025-01-31T10:35:00Z",
  "category": "storage-audit",
  "type": "bucket_enumeration",

  "request": {
    "method": "GET",
    "url": "https://abc123def.supabase.co/storage/v1/bucket",
    "curl_command": "curl -s '$URL/storage/v1/bucket' -H 'apikey: $ANON_KEY' -H 'Authorization: Bearer $ANON_KEY'"
  },

  "buckets": [
    {
      "name": "avatars",
      "public": true,
      "file_size_limit": 1048576,
      "allowed_mime_types": ["image/jpeg", "image/png"],
      "risk_level": "info",
      "assessment": "Appropriate for public avatars"
    },
    {
      "name": "backups",
      "public": true,
      "file_size_limit": 524288000,
      "allowed_mime_types": ["*/*"],
      "risk_level": "P0",
      "assessment": "CRITICAL: Backup bucket should not be public"
    }
  ],

  "summary": {
    "total_buckets": 5,
    "public_buckets": 3,
    "private_buckets": 2,
    "critical_misconfigurations": 1
  }
}
```

### Add to curl-commands.sh

```bash
# === STORAGE BUCKET ENUMERATION ===
# List all buckets
curl -s "$SUPABASE_URL/storage/v1/bucket" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer $ANON_KEY"

# List files in specific bucket
curl -s "$SUPABASE_URL/storage/v1/object/list/backups" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer $ANON_KEY"
```

## Related Skills

- `supabase-audit-buckets-read` — Attempt to read files
- `supabase-audit-buckets-public` — Find misconfigured public buckets
- `supabase-audit-storage-rls` — Test storage RLS policies

Overview

This skill enumerates all Supabase storage buckets and reports their configuration so you can quickly identify the storage attack surface. It provides per-bucket details (public flag, size limits, allowed MIME types, estimated file counts) and a concise risk summary with remediation guidance. The skill is designed for integration in automated security audits and manual penetration tests.

How this skill works

The skill queries the Supabase Storage API to list buckets and inspects each bucket's configuration and metadata. It flags public buckets, unrestricted MIME settings, large size limits, and other indicators of misconfiguration. Results are returned as a structured inventory and a summary that highlights critical and priority issues, plus recommended SQL/RLS fixes.

When to use it

Inventory storage before running read or upload tests
As a preliminary step in a Supabase storage security audit
To identify unexpectedly public or misconfigured buckets
When validating changes to storage policies or deployment
Before searching for sensitive files in public buckets

Best practices

Record findings progressively: update context and logs after each bucket discovery
Prioritize public buckets and those allowing */* MIME types for immediate review
Treat unexpected public buckets as high/critical and remediate first
Collect evidence (API requests, bucket configs, file lists) for reproducible reports
Verify private buckets with a dedicated RLS test skill after enumeration

Example use cases

Run a fast inventory to find any public backup or sensitive buckets
Generate a report of bucket settings and recommended RLS SQL to hand to developers
Automate storage enumeration as part of CI security checks for Supabase projects
Combine with read-tests to confirm whether public buckets actually expose files
Triage a production incident by quickly listing storage surfaces and risk levels

FAQ

What credentials are required?

An active Supabase URL and anon key are needed to call the storage list endpoint.

What if listing buckets is blocked?

If enumeration is restricted, note it as 'unable to enumerate' — restricted APIs are a positive control.

How are public buckets identified?

By the bucket 'public' flag and by checking public object URL patterns provided by the Storage API.