Isolation Matrix

Verified vs RealPostgres
Table Name Policy Type Attack Proof Status
organizations RLS / SELECT Blocked (0 rows) VERIFIED
projects RLS / ALL Blocked (IDOR) VERIFIED
tickets RLS / UPDATE LEAK: Data Mutated BREACH
documents RLS / SELECT Blocked (JWT) VERIFIED
user_profiles RLS / INSERT Success (Self) VERIFIED

Financial Risk Impact

MAX EXPOSURE

Confirmed cross-tenant BOLA leak on 'tickets' table.

$122,500 / per incident

4,200 exposed PII records × $29.16 avg forensic recovery & HIPAA penalty cost.

Critical Findings

transactions CRITICAL
Missing AS RESTRICTIVE enforcement. Existing policies are permissive, allowing bypass via overlapping roles.
-- REMEDIATION: Cross-Tenant Mutation (IDOR) Hardening -- Logic: Enforce Restrictive JWT Claim Validation DROP POLICY IF EXISTS "tenant_isolation_policy" ON "public"."transactions"; CREATE POLICY "tenant_isolation_policy" ON "public"."transactions" AS RESTRICTIVE -- Ensures no other policy can accidentally grant access FOR ALL TO authenticated USING ( tenant_id = (select auth.jwt() ->> 'tenant_id')::uuid ) WITH CHECK ( tenant_id = (select auth.jwt() ->> 'tenant_id')::uuid ); -- Note: Validation shifted from auth.uid() to tenant_id claim to -- prevent role-escalation and orphan record creation.
secure_audit_log SECURITY DEFINER
Search Path Hijacking vulnerability detected. Function executes with owner privileges without schema locking.
-- REMEDIATION: SECURITY DEFINER Search Path Hijacking -- Fix: Explicit Search Path & Contextual Validation CREATE OR REPLACE FUNCTION "internal"."secure_audit_log"(row_id uuid) RETURNS void LANGUAGE plpgsql SECURITY DEFINER -- Runs with owner privileges SET search_path = public, pg_temp -- Prevent hijacking by locking the search path AS $$ BEGIN -- Verify the session JWT 'tenant_id' matches the target row's tenant_id IF NOT EXISTS ( SELECT 1 FROM public.tenant_data WHERE id = row_id AND tenant_id = (select auth.jwt() ->> 'tenant_id')::uuid ) THEN RAISE EXCEPTION 'Unauthorized: Isolation Boundary Violation Detected'; END IF; INSERT INTO internal.audit_trail (target_id, actor_id) VALUES (row_id, auth.uid()); END; $$;