Files stored in private buckets can be accessed by anyone using the image transformation url

[yowzadave]

Bug report

Describe the bug

If I create a private bucket and store an image in it, then the file is accessible to anyone who uses the image transformation URL, regardless of RLS rules/authentication.

To Reproduce

Store any image file in a private bucket:

const result = await supabase.storage
  .from("files")
  .upload("my-secret-image.jpg", data, { contentType: "image/jpeg" });

Then visit the following URL from any browser to access the file:

https://mysupabaseid.supabase.co/storage/v1/render/image/public/files/my-secret-image.jpg

[github-actions]

🎉 This issue has been resolved in version 0.30.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

[fenos]

@yowzadave Thanks for reporting the issue, it has been promptly fixed