Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
python-sqlparse
CVE-2023-30608-ReDOS-parser.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-30608-ReDOS-parser.patch of Package python-sqlparse
From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001 From: Andi Albrecht <albrecht.andi@gmail.com> Date: Mon, 20 Mar 2023 08:33:46 +0100 Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. The regex tried to deal with situations where escaping in the SQL to be parsed was suspicious. --- CHANGELOG | 12 ++++++++++++ sqlparse/keywords.py | 4 ++-- tests/test_split.py | 4 ++-- 3 files changed, 16 insertions(+), 4 deletions(-) --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,15 @@ +Additional notable changes +-------------------------- + +* IMPORTANT: This release fixes a security vulnerability in the + parser where a regular expression vulnerable to ReDOS (Regular + Expression Denial of Service) was used. See the security advisory + for details: + https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 + (and CVE-2023-30608) The vulnerability was discovered by + @erik-krogh from GitHub Security Lab (GHSL). Thanks for + reporting! + Release 0.2.4 (Sep 27, 2017) ---------------------------- --- a/sqlparse/keywords.py +++ b/sqlparse/keywords.py @@ -62,9 +62,9 @@ SQL_REGEX = { (r'-?\d*(\.\d+)?E-?\d+', tokens.Number.Float), (r'-?(\d+(\.\d*)|\.\d+)', tokens.Number.Float), (r'-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), - (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), + (r"'(''|\\'|[^'])*'", tokens.String.Single), # not a real string literal in ANSI SQL: - (r'(""|".*?[^\\]")', tokens.String.Symbol), + (r'"(""|\\"|[^"])*"', tokens.String.Symbol), # sqlite names can be escaped with [square brackets]. left bracket # cannot be preceded by word character or a right bracket -- # otherwise it's probably an array index --- a/tests/test_split.py +++ b/tests/test_split.py @@ -20,8 +20,8 @@ def test_split_semicolon(): def test_split_backslash(): - stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") - assert len(stmts) == 3 + stmts = sqlparse.parse("select '\'; select '\'';") + assert len(stmts) == 2 @pytest.mark.parametrize('fn', ['function.sql',
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor