feat: prevent passing in role claim in presigned URL JWTs

supabase · Jul 14, 2024 · c97ba49 · c97ba49
1 parent f6d2fbc
commit c97ba49
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/storage/object.ts b/src/storage/object.ts
@@ -540,6 +540,10 @@ export class ObjectStorage {
       return all
     }, metadata || {})
 
+    // security-in-depth: as signObjectUrl could be used as a signing oracle,
+    // make sure it's never able to specify a role JWT claim
+    delete metadata['role']
+
     const urlParts = url.split('/')
     const urlToSign = decodeURI(urlParts.splice(3).join('/'))
     const { secret: jwtSecret } = await getJwtSecret(this.db.tenantId)