Title
0029: allow opt-in suppression for SECURITY DEFINER functions that self-gate the caller
Body
Summary
Rule 0029_authenticated_security_definer_function_executable flags every SECURITY DEFINER function in the exposed API schema that is executable by authenticated. In codebases that legitimately rely on definer RPCs for cross-user reads, RPC-only tables, and rate-limit counters, this produces a large number of warnings that cannot be resolved without either (a) removing DEFINER and breaking the RPC's purpose, or (b) revoking EXECUTE from authenticated and moving the call off the Data API.
Both options are unattractive for the common pattern where a definer function is the gate:
CREATE OR REPLACE FUNCTION public.mp_end_room_v2(p_game_id uuid, p_reason text)
RETURNS void LANGUAGE plpgsql SECURITY DEFINER
SET search_path = 'public' AS $$
DECLARE v_uid uuid := auth.uid();
BEGIN
IF v_uid IS NULL THEN RETURN; END IF;
-- ...participant check against mp_games...
UPDATE public.mp_games SET status = 'ended' WHERE id = p_game_id
AND (host_user_id = v_uid OR guest_user_id = v_uid);
END $$;
This function needs DEFINER because it mutates the opponent's row in mp_games; it self-gates via auth.uid() and a participant check. There is no safe alternative: SECURITY INVOKER would fail RLS, and revoking EXECUTE FROM authenticated would make the game unplayable.
Concrete data point
In a game project with ~40 definer RPCs (matchmaking, chat, ranked Elo, spectator flow), rule 0029 flags 33+ functions. After a manual audit, all 33 were confirmed as intentionally-gated definers. The signal-to-noise ratio for this rule in that codebase is effectively 0%.
Proposals (any one would help)
Option A — Heuristic: Skip functions whose body references any of auth.uid(), auth.jwt(), public.has_role(, is_admin(, or RAISE EXCEPTION within the first N statements. False positives are still possible, but the rule stops firing on the common "check-then-act" pattern.
Option B — Explicit opt-out via COMMENT: Skip functions whose Postgres comment matches a marker such as lint:0029-safe. Example:
COMMENT ON FUNCTION public.mp_end_room_v2(uuid, text)
IS 'lint:0029-safe — participant check via auth.uid() inside body';
This is the same escape-hatch pattern many linters use (# noqa, // eslint-disable) and gives auditors a searchable marker in the source.
Option C — Config-driven allowlist: Support a project-level allowlist (e.g. an entry in supabase/config.toml or a magic table public._splinter_ignore) that lists function names to skip.
Option B is the least invasive and the most auditable. Option A alone would already remove most noise.
Why this matters
Right now, teams doing the right thing (definer RPCs for privileged writes, self-gated with auth.uid()) are indistinguishable in the linter output from teams that accidentally left a definer function exposed. That creates alert fatigue on 0029 and pushes teams toward either ignoring the whole rule or maintaining out-of-band allowlists. Any of the three options above would let 0029 flag only the risky definers, which is what the rule was intended to catch.
Happy to contribute a PR for option B if there's interest.
Title
0029: allow opt-in suppression forSECURITY DEFINERfunctions that self-gate the callerBody
Summary
Rule
0029_authenticated_security_definer_function_executableflags everySECURITY DEFINERfunction in the exposed API schema that is executable byauthenticated. In codebases that legitimately rely on definer RPCs for cross-user reads, RPC-only tables, and rate-limit counters, this produces a large number of warnings that cannot be resolved without either (a) removing DEFINER and breaking the RPC's purpose, or (b) revokingEXECUTEfromauthenticatedand moving the call off the Data API.Both options are unattractive for the common pattern where a definer function is the gate:
This function needs DEFINER because it mutates the opponent's row in
mp_games; it self-gates viaauth.uid()and a participant check. There is no safe alternative:SECURITY INVOKERwould fail RLS, and revokingEXECUTE FROM authenticatedwould make the game unplayable.Concrete data point
In a game project with ~40 definer RPCs (matchmaking, chat, ranked Elo, spectator flow), rule
0029flags 33+ functions. After a manual audit, all 33 were confirmed as intentionally-gated definers. The signal-to-noise ratio for this rule in that codebase is effectively 0%.Proposals (any one would help)
Option A — Heuristic: Skip functions whose body references any of
auth.uid(),auth.jwt(),public.has_role(,is_admin(, orRAISE EXCEPTIONwithin the first N statements. False positives are still possible, but the rule stops firing on the common "check-then-act" pattern.Option B — Explicit opt-out via COMMENT: Skip functions whose Postgres comment matches a marker such as
lint:0029-safe. Example:This is the same escape-hatch pattern many linters use (
# noqa,// eslint-disable) and gives auditors a searchable marker in the source.Option C — Config-driven allowlist: Support a project-level allowlist (e.g. an entry in
supabase/config.tomlor a magic tablepublic._splinter_ignore) that lists function names to skip.Option B is the least invasive and the most auditable. Option A alone would already remove most noise.
Why this matters
Right now, teams doing the right thing (definer RPCs for privileged writes, self-gated with
auth.uid()) are indistinguishable in the linter output from teams that accidentally left a definer function exposed. That creates alert fatigue on0029and pushes teams toward either ignoring the whole rule or maintaining out-of-band allowlists. Any of the three options above would let0029flag only the risky definers, which is what the rule was intended to catch.Happy to contribute a PR for option B if there's interest.