security-supabase

This document contains safe, non-obfuscated guidance and intentionally insecure examples to illustrate the dangerous behavior of SECURITY DEFINER functions with respect to RLS. The insecure example demonstrates a real supply-chain-like risk in database code: SECURITY DEFINER functions owned by a superuser can act as hidden backdoors bypassing RLS, enabling data exfiltration or unauthorized modifications. The file itself is not malicious code but documents a high-risk pattern; follow the recommended mitigations (use SECURITY INVOKER by default, restrict EXECUTE, set search_path) and audit existing functions.