←back to thread

Supabase MCP can leak your entire SQL database

(www.generalanalysis.com)
780 points rexpository | 1 comments | 08 Jul 25 17:46 UTC | HN request time: 0s | source
Show context
tptacek ◴[08 Jul 25 19:15 UTC] No.44503091[source]
This is just XSS mapped to LLMs. The problem, as is so often the case with admin apps (here "Cursor and the Supabase MCP" is an ad hoc admin app), is that they get a raw feed of untrusted user-generated content (they're internal scaffolding, after all).

In the classic admin app XSS, you file a support ticket with HTML and injected Javascript attributes. None of it renders in the customer-facing views, but the admin views are slapped together. An admin views the ticket (or even just a listing of all tickets) and now their session is owned up.

Here, just replace HTML with LLM instructions, the admin app with Cursor, the browser session with "access to the Supabase MCP".

replies(4): >>44503182 #>>44503194 #>>44503269 #>>44503304 #
ollien ◴[08 Jul 25 19:39 UTC] No.44503304[source]
You're technically right, but by reducing the problem to being "just" another form of a classic internal XSS, missing the forest for the trees.

An XSS mitigation takes a blob of input and converts it into something that we can say with certainty will never execute. With prompt injection mitigation, there is no set of deterministic rules we can apply to a blob of input to make it "not LLM instructions". To this end, it is fundamentally unsafe to feed _any_ untrusted input into an LLM that has access to privileged information.

replies(2): >>44503346 #>>44503483 #
tptacek ◴[08 Jul 25 19:43 UTC] No.44503346[source]
Seems pretty simple: the MCP calls are like an eval(), and untrusted input can't ever hit it. Your success screening and filtering LLM'd eval() inputs will be about as successful as your attempts to sanitize user-generated content before passing them to an eval().

eval() --- still pretty useful!

replies(2): >>44503430 #>>44503440 #
ollien ◴[08 Jul 25 19:53 UTC] No.44503430[source]
Untrusted user input can be escaped if you _must_ eval (however ill-advised), depending on your language (look no further than shell escaping...). There is a set of rules you can apply to guarantee untrusted input will be stringified and not run as code. They may be fiddly, and you may wish to outsource them to a battle-tested library, but they _do_ exist.

Nothing exists like this for an LLM.

replies(1): >>44503537 #
IgorPartola ◴[08 Jul 25 20:03 UTC] No.44503537{3}[source]
Which doesn’t make any sense. Why can’t we have escaping for prompts? Because it’s not “natural”?
replies(4): >>44503555 #>>44503751 #>>44503776 #>>44505048 #
tptacek ◴[08 Jul 25 20:05 UTC] No.44503555{4}[source]
We don't have escaping for eval! There's a whole literature in the web security field for why that approach is cursed!
replies(2): >>44503570 #>>44503769 #
IgorPartola ◴[08 Jul 25 20:06 UTC] No.44503570{5}[source]
Fair enough but how did we not learn from that fiasco? We have escaping for every other protocol and interface since.
replies(2): >>44503583 #>>44503850 #
1. tptacek ◴[08 Jul 25 20:07 UTC] No.44503583{6}[source]
Again: we do not. Front-end code relies in a bunch of ways on eval and it's equivalents. What we don't do is pass filtered/escaped untrusted strings directly to those functions.