I won't claim to be as well-versed as you are in security compliance -- in fact ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ollien 5 months ago \| parent \| context \| favorite \| on: Supabase MCP can leak your entire SQL database I won't claim to be as well-versed as you are in security compliance -- in fact I will say I definitively am not. Why would you think that it isn't a meaningful difference here? I would never simply pipe sqlite3 output to `eval`, but that's effectively what the MCP tool output is doing.

tptacek 5 months ago [–]

If you give a competent attacker a single input line on your REPL, you are never again going to see an output line that they don't want you to see.

ollien 5 months ago | [–]

We're agreeing, here. I'm in fact suggesting you _shouldn't_ use the output from your database as input.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact