safe-sql-execution

作者: supabase

Safely execute SQL queries against a user database without risking SQL injection or other security vulnerabilities.

npx skills add https://github.com/supabase/supabase --skill safe-sql-execution

Safe SQL execution

Supabase Studio executes SQL statements directly against the user's database. Because this is the authenticated user's own database, our security model is different from most frontend applications: a user should be able to execute any SQL statement, as long as it is proven that they themselves authored it. What we SHOULD NOT ALLOW is execution of SQL statements that can be influenced by an attacker, such as through URL parameters.

Security model

The security model for SQL execution in Supabase Studio is based on the principle of "proven authorship". This means that a user should only be able to execute SQL statements that they have explicitly authored, and not statements that can be influenced by external input.

There are three classes of SQL fragments:

  1. Hardcoded within the application code. These are safe to execute because they cannot be influenced by an attacker. They can be marked with the safeSql utility with pg-meta:

    import { safeSql } from '@supabase/pg-meta'
    
    const sql = safeSql`
      SELECT *
      FROM users
      WHERE id = 1
    `
    

    safeSql automatically creates a string of the branded type SafeSqlFragment. (See Provenance Tracking below.)

  2. Third-party influenceable. These are SQL fragments that can be influenced by an attacker, such as through URL parameters or LLM output. These should be marked with the untrustedSql utility with pg-meta:

    import { untrustedSql } from '@supabase/pg-meta'
    
    const unsafeQuery = searchParams.get('query')
    const querySql = untrustedSql(unsafeQuery)
    

    untrustedSql creates a string of the branded type UntrustedSqlFragment. (See Provenance Tracking below.)

  3. User-authored. These are SQL fragments that are authored by the user themselves within the UI, for example in a text input field. Because the user is the author, these should be considered safe to execute.

    However, there is a caveat, where third-party and user-authored code can mix, contaminating the user-authored code (for example, if an input is prefilled from an unsanitized URL parameter). Provenance tracking helps us track these cases.

    For example, a safe input component could be implemented as follows by requiring that its placeholder and controlled value are of type SafeSqlFragment. In this case we can use its onChange to promote the user input to SafeSqlFragment type, because we know that the user is the author of the input. An implementation of this is in @apps/studio/components/ui/SafeSqlInput.tsx:

    import { rawSql, type SafeSqlFragment } from '@supabase/pg-meta'
    import type { ChangeEvent, ComponentProps } from 'react'
    import { Input } from 'ui-patterns/DataInputs/Input'
    
    type InputProps = ComponentProps<typeof Input>
    
    export type SafeSqlInputProps = Omit<
      InputProps, 'placeholder' | 'value' | 'onChange'
    > & {
      placeholder?: SafeSqlFragment
      value: SafeSqlFragment
      onChange?:
        (event: ChangeEvent<HTMLInputElement>, value: SafeSqlFragment) => void
    }
    
    export const SafeSqlInput = ({ onChange, ...props }: SafeSqlInputProps) => (
      <Input
        {...props}
        onChange={(event) => onChange?.(event, rawSql(event.target.value))}
      />
    )
    

    This is pretty much the ONLY VALID USE CASE of the rawSql export from pg-meta, and it should be used with caution.

Provenance tracking

Branded types are used to track the provenance of SQL fragments. The types, exported from pg-meta, are:

  • SafeSqlFragment: represents SQL fragments that are safe to execute, because they are either hardcoded in the application or authored by the user themselves.
  • UntrustedSqlFragment: represents SQL fragments that can be influenced by an attacker, such as through URL parameters or LLM output.

These are valid ways to generate a SafeSqlFragment:

  • Using the safeSql utility from pg-meta to create hardcoded SQL fragments.
  • Using the sanitization utilities from pg-meta to sanitize untrusted input and promote it to a SafeSqlFragment:
    • ident
    • literal
    • keyword
  • Using the safe SQL manipulation utilities:
    • joinSqlFragments
    • trimSafeSqlFragment

UntrustedSqlFragments can be generated from raw strings using untrustedSql().

There is also a union type, DisplayableSqlFragment, which represents SQL fragments that can be safely displayed in the UI, but not necessarily executed. This includes both SafeSqlFragment and UntrustedSqlFragment.

Security of SQL round-tripped from the user's database

SQL derived directly from catalog tables (e.g., function definitions, RLS expressions, etc.) is considered safe, and it is promoted AT THE POINT OF BEING QUERIED from the database. In most cases, this is in an apps/studio/data/*/.ts file, in the utility function that makes the API or database fetch.

A critical exception to the safety of SQL round-tripped from the database is user snippets. These must NEVER BE CONSIDERED SAFE because they are both (a) externally influenceable and (b) auto-saved. The snippet type uses the unchecked_sql property, which is an UntrustedSqlFragment, to enforce this.

Promoting SQL fragments to SafeSqlFragment type

Given an insecure string or UntrustedSqlFragment, how do we promote it safely to a SafeSqlFragment?

Sanitization utilities

This is the preferred method when the input is sanitizable, e.g., it is a relation name, a column name, will be compared as a literal, etc.

The pg-meta library provides the following sanitization utilities that can be used to safely promote untrusted input to SafeSqlFragment:

  • ident: for sanitizing identifiers such as table names or column names.
  • literal: for sanitizing literal values that will be used in SQL statements.
  • keyword: for sanitizing SQL keywords.

acceptUntrustedSql

Some untrusted SQL fragments cannot be sanitized with the above utilities. For example, the USING expression in the RLS policy editor is an arbitrary SQL expression.

In these cases, we can promote the SQL fragment upon explicit user action. User action indicates that the user has seen the SQL and is OK with running it. For example, an explicit user action could be clicking a "Run" button.

The promotion happens with the acceptUntrustedSql utility from pg-meta,
which takes an UntrustedSqlFragment and returns a SafeSqlFragment.

This utility MUST ONLY BE USED IN event handlers. It should NEVER be used in a useQuery, direct in the render body of a component, in a useEffect, or anywhere it could auto-run without explicit user action.

This is safe:

import { acceptUntrustedSql } from '@supabase/pg-meta'

function SafeComponent() {
  const { mutate: execute } = useExecuteSqlMutation()

  const handleRun = () => {
    // ✅ GOOD: Safe because it is in an event handler which requires a user
    // click
    execute({ sql: acceptUntrustedSql(/* sql */) })
  }

  return (
    <button onClick={handleRun}>Run</button>
  )
}

This is unsafe:

import { acceptUntrustedSql } from '@supabase/pg-meta'

function UnsafeComponent() {
  const { data } = useQuery({
    queryKey: ['execute-sql', sql],
    queryFn: () => {
      // 🛑 BAD: Unsafe because it is in a query which could auto-run without
      // explicit user action
      return execute({ sql: acceptUntrustedSql(/* sql */) })
    },
  })
}

Type guarantees

SQL run against the user's Postgres database runs through the executeSql function, which only takes arguments of type SafeSqlFragment for the SQL parameter. Raw strings or UntrustedSqlFragments will error at compile time.

Examples

Hard-coded SQL

// ✅ GOOD: Automatically safe with `safeSql` utility
const selectStatement = safeSql`select 1`

SQL with sanitizable interpolations

// ✅ GOOD: `pg-meta` utilities sanitize the input
const tableName = ident(userInputTableName)
const searchString = literal(userInputSearchString)
const sqlStatement = safeSql`
  SELECT *
  FROM ${tableName}
  WHERE search_column = ${searchString}
`
// 🛑 BAD: Passing raw strings will type error
const tableName = 'my_table'
const sqlStatement = safeSql`
  SELECT *
  FROM ${tableName}
`

Non-sanitizable SQL from a user input

// ✅ GOOD: SafeSqlInput only allows a value that is a SafeSqlFragment
import { SafeSqlInput } from '@apps/studio/components/ui/SafeSqlInput'

function MyComponent() {
  const [sql, setSql] = useState<SafeSqlFragment>(safeSql``)

  return (
    <SafeSqlInput
      placeholder={safeSql`Enter your SQL query here...`}
      value={sql}
      onChange={(event, value) => setSql(value)}
    />
  )
}
// 🛑 BAD: This input mixes SafeSqlFragments and unsafe strings

function MyBadComponent() {
  const [sql, setSql] = useState<SafeSqlFragment>(safeSql``)

  return (
    <Input
    // 🛑 BAD: This is unsafe because the placeholder is a raw string
      placeholder="Enter your SQL query here..."
      value={sql}
      onChange={(event) => setSql(event.target.value)}
    />
  )
}

Round-tripping SQL from the database (NOT snippet content)

// ✅ GOOD: SQL from the database is promoted to SafeSqlFragment at the point
// of fetching

// data/function-definitions.ts
function markFunctionDefinitionSafe(
  functionDefinition: FunctionDefinition
): SafeFunctionDefinition {
  return {
    ...functionDefinition,
    definition: functionDefinition.definition as SafeSqlFragment,
  }
}

// data/function-definitions.ts
function getFunctionDefinitions() {
  return GET(`/function-definitions`).then((functionDefinitions) =>
    functionDefinitions.map(markFunctionDefinitionSafe)
  )
}
// 🛑 BAD: Strings are promoted to SafeSqlFragment in a utility function, where
// it is impossible to easily determine the safety of the input

// utils.ts
function markFunctionDefinitionSafe(
  functionDefinition: FunctionDefinition
): SafeFunctionDefinition {
  return {
    ...functionDefinition,
    definition: functionDefinition.definition as SafeSqlFragment,
  }
}

// Component.ts
function MyComponent() {
  const { data: functionDefinitions } = useFunctionDefinitions()
  const safeFunctionDefinitions = functionDefinitions.map(markFunctionDefinitionSafe)
}

Snippet content is ALWAYS UNSAFE

Snippets are auto-persisted to the database and can be created or modified through externally influenceable channels (e.g., prefilled from URL params). The unchecked_sql property is typed as UntrustedSqlFragment to enforce this — it must only be promoted to SafeSqlFragment via acceptUntrustedSql in an event handler that requires explicit user action.

// 🛑 BAD: Snippet content is executed automatically via useQuery, with no
// explicit user action confirming that the user has reviewed the SQL.
import { acceptUntrustedSql } from '@supabase/pg-meta'

function UnsafeSnippetPreview({ snippet }: { snippet: Snippet }) {
  const { data } = useExecuteSqlQuery({
    sql: acceptUntrustedSql(snippet.content.unchecked_sql),
  })

  return <Results data={data} />
}
// 🛑 BAD: Casting bypasses the type system entirely. The snippet's
// `unchecked_sql` is `UntrustedSqlFragment` for a reason — never cast it.
function UnsafeSnippetRunner({ snippet }: { snippet: Snippet }) {
  const { mutate: execute } = useExecuteSqlMutation()

  useEffect(() => {
    execute({ sql: snippet.content.unchecked_sql as SafeSqlFragment })
  }, [snippet])
}
// ✅ GOOD: Snippet content is only promoted to SafeSqlFragment inside an event
// handler, after the user clicks Run. The user has seen the SQL in the editor
// and explicitly chosen to execute it.
import { acceptUntrustedSql } from '@supabase/pg-meta'

function SnippetRunner({ snippet }: { snippet: Snippet }) {
  const { mutate: execute } = useExecuteSqlMutation()

  const handleRun = () => {
    execute({ sql: acceptUntrustedSql(snippet.content.unchecked_sql) })
  }

  return (
    <>
      <SnippetEditor snippet={snippet} />
      <button onClick={handleRun}>Run</button>
    </>
  )
}

Analytics SQL (BigQuery / ClickHouse)

The same security model applies to analytics queries, which target BigQuery or ClickHouse via the /platform/projects/{ref}/analytics/endpoints/logs.all{,.otel} endpoints. Filter keys and values from URL parameters and UI inputs are spliced into SQL that runs against the project's logs, so the same injection risk exists.

The brand and helpers live in apps/studio/data/logs/safe-analytics-sql.ts, intentionally disjoint from the pg-meta SafeSqlFragment brand:

  • SafeLogSqlFragment — branded type for analytics SQL.
  • safeSql — template tag that only accepts SafeLogSqlFragment interpolations.
  • analyticsLiteral(value) — sanitizes string/number/boolean literals.
  • quotedIdent(name) — validates and backtick-quotes dotted identifiers.
  • keyword(value, allowed) — validates against an allow-list of operators.
  • joinSqlFragments(fragments, separator) — composes already-branded fragments.

The brands are kept separate because escape semantics differ — Postgres-safe E'…' strings, ::jsonb casts, and double-quoted identifiers are unsafe for BigQuery and/or ClickHouse, and vice versa. Crossing the brands would silently emit unsafe SQL.

The wire-boundary wrapper is executeAnalyticsSql in apps/studio/data/logs/execute-analytics-sql.ts, analogous to pg-meta's executeSql. It accepts only SafeLogSqlFragment for its sql parameter, so raw strings are rejected at compile time. A grep-based vitest (apps/studio/tests/unit/lints/analytics-sql-boundary.test.ts) prevents regressions by failing the build if any file outside execute-analytics-sql.ts calls post() or get() directly against logs.all or logs.all.otel.

import { executeAnalyticsSql } from '@/data/logs/execute-analytics-sql'
import { analyticsLiteral, quotedIdent, safeSql } from '@/data/logs/safe-analytics-sql'

// ✅ GOOD: every interpolation is sanitized.
const sql = safeSql`
  SELECT timestamp, event_message
  FROM ${quotedIdent(table)}
  WHERE id = ${analyticsLiteral(id)}
`

await executeAnalyticsSql({
  projectRef,
  endpoint: '/platform/projects/{ref}/analytics/endpoints/logs.all',
  sql,
  iso_timestamp_start,
  iso_timestamp_end,
})
// 🛑 BAD: raw string interpolation. This fails to type-check at the
// executeAnalyticsSql boundary because the result is `string`, not
// `SafeLogSqlFragment`.
const sql = `SELECT * FROM ${table} WHERE id = '${id}'`
await executeAnalyticsSql({ projectRef, endpoint, sql, ... })

来自 supabase 的更多技能

studio-e2e-tests
supabase
编写并运行Supabase Studio的Playwright端到端测试。在收到相关请求时使用。
official
vitest
supabase
由 Vite 驱动的快速单元测试框架,兼容 Jest API。在编写测试、模拟、配置覆盖率或处理测试时使用。
official
skill-creator
supabase
创建模块化技能的全面指南,用于扩展Claude的能力,涵盖专业知识和工作流程。技能包含必需的SKILL.md文件(含YAML前置元数据和Markdown指令),以及按用途组织、渐进加载以节省上下文的可选捆绑资源(脚本、参考资料、素材)。围绕具体使用案例设计技能;为确定性任务识别可复用脚本,为领域知识准备参考文件,为...提供素材。
official
supabase
supabase
在执行任何涉及Supabase的任务时使用。触发条件:Supabase产品(数据库、认证、边缘函数、实时功能、存储、向量、定时任务、队列);客户端…
official
supabase-server
supabase
在编写使用Supabase的服务器端代码时使用——包括Edge Functions、Hono应用、Webhook处理器或任何需要Supabase认证和客户端创建的后端。
official
clickhouse-logs-queries
supabase
Write, review, and migrate Supabase logs queries against the ClickHouse-backed `logs` table (the `logs.all.otel` analytics endpoint). Use this whenever a task…
official
dev-toolbar-review
supabase
在审查涉及 packages/dev-tools/、packages/common/posthog-client.ts 的 PR 时使用
official
e2e-studio-tests
supabase
在Studio应用中运行端到端测试。当被要求运行端到端测试、运行Studio测试、Playwright测试或测试功能时使用。
official