Skip to content

Proposal update to make it where Supabase rule 0029 will skip functions whose body matches a reasonable "gated" heuristic - e.g. contains a check on 'auth.uid( )', 'has_role', 'is_admin', or equivalent. #172

Description

@larrypendletoniii

Title

0029: allow opt-in suppression for SECURITY DEFINER functions that self-gate the caller

Body

Summary

Rule 0029_authenticated_security_definer_function_executable flags every SECURITY DEFINER function in the exposed API schema that is executable by authenticated. In codebases that legitimately rely on definer RPCs for cross-user reads, RPC-only tables, and rate-limit counters, this produces a large number of warnings that cannot be resolved without either (a) removing DEFINER and breaking the RPC's purpose, or (b) revoking EXECUTE from authenticated and moving the call off the Data API.

Both options are unattractive for the common pattern where a definer function is the gate:

CREATE OR REPLACE FUNCTION public.mp_end_room_v2(p_game_id uuid, p_reason text)
RETURNS void LANGUAGE plpgsql SECURITY DEFINER
SET search_path = 'public' AS $$
DECLARE v_uid uuid := auth.uid();
BEGIN
  IF v_uid IS NULL THEN RETURN; END IF;
  -- ...participant check against mp_games...
  UPDATE public.mp_games SET status = 'ended' WHERE id = p_game_id
    AND (host_user_id = v_uid OR guest_user_id = v_uid);
END $$;

This function needs DEFINER because it mutates the opponent's row in mp_games; it self-gates via auth.uid() and a participant check. There is no safe alternative: SECURITY INVOKER would fail RLS, and revoking EXECUTE FROM authenticated would make the game unplayable.

Concrete data point

In a game project with ~40 definer RPCs (matchmaking, chat, ranked Elo, spectator flow), rule 0029 flags 33+ functions. After a manual audit, all 33 were confirmed as intentionally-gated definers. The signal-to-noise ratio for this rule in that codebase is effectively 0%.

Proposals (any one would help)

Option A — Heuristic: Skip functions whose body references any of auth.uid(), auth.jwt(), public.has_role(, is_admin(, or RAISE EXCEPTION within the first N statements. False positives are still possible, but the rule stops firing on the common "check-then-act" pattern.

Option B — Explicit opt-out via COMMENT: Skip functions whose Postgres comment matches a marker such as lint:0029-safe. Example:

COMMENT ON FUNCTION public.mp_end_room_v2(uuid, text)
  IS 'lint:0029-safe — participant check via auth.uid() inside body';

This is the same escape-hatch pattern many linters use (# noqa, // eslint-disable) and gives auditors a searchable marker in the source.

Option C — Config-driven allowlist: Support a project-level allowlist (e.g. an entry in supabase/config.toml or a magic table public._splinter_ignore) that lists function names to skip.

Option B is the least invasive and the most auditable. Option A alone would already remove most noise.

Why this matters

Right now, teams doing the right thing (definer RPCs for privileged writes, self-gated with auth.uid()) are indistinguishable in the linter output from teams that accidentally left a definer function exposed. That creates alert fatigue on 0029 and pushes teams toward either ignoring the whole rule or maintaining out-of-band allowlists. Any of the three options above would let 0029 flag only the risky definers, which is what the rule was intended to catch.

Happy to contribute a PR for option B if there's interest.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions