[Security] Bump sqlparse from 0.4.4 to 0.5.0
Bumps sqlparse from 0.4.4 to 0.5.0. This update includes a security fix.
Vulnerabilities fixed
sqlparse parsing heavily nested list leads to Denial of Service
Summary
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Details + PoC
Running the following code will raise Maximum recursion limit exceeded exception:
import sqlparse sqlparse.parse('[' * 10000 + ']' * 10000)
We expect a traceback of RecursionError:
Traceback (most recent call last): File "trigger_sqlparse_nested_list.py", line 3, in <module> sqlparse.parse('[' * 10000 + ']' * 10000) File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/__init__.py", line 30, in parse return tuple(parsestream(sql, encoding)) File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/filter_stack.py", line 36, in run stmt = grouping.group(stmt) File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py", line 428, in group func(stmt) </tr></table>
... (truncated)
Patched versions: 0.5.0 Affected versions: < 0.5.0
Changelog
Sourced from sqlparse's changelog.
Release 0.5.0 (Apr 13, 2024)
Notable Changes
- Drop support for Python 3.5, 3.6, and 3.7.
- Python 3.12 is now supported (pr725, by hugovk).
- IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion error for deeply nested statements. Instead of recursion error a generic SQLParseError is raised. See the security advisory for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg The vulnerability was discovered by
@uriyay-jfrog
. Thanks for reporting!Enhancements:
- Splitting statements now allows to remove the semicolon at the end. Some database backends love statements without semicolon (issue742).
- Support TypedLiterals in get_parameters (pr649, by Khrol).
- Improve splitting of Transact SQL when using GO keyword (issue762).
- Support for some JSON operators (issue682).
- Improve formatting of statements containing JSON operators (issue542).
- Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo).
- Support parsing of OVER clause (issue701, pr768 by r33s3n6).
Bug Fixes
- Ignore dunder attributes when creating Tokens (issue672).
- Allow operators to precede dollar-quoted strings (issue763).
- Fix parsing of nested order clauses (issue745, pr746 by john-bodley).
- Thread-safe initialization of Lexer class (issue730).
- Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719 by josuc1, thanks for bringing this up!).
- Fix parsing of PRIMARY KEY (issue740).
Other
- Optimize performance of matching function (pr799, by admachainz).
Commits
-
ddbd0ec
Bump version. -
29f2e0a
Raise recursion limit for tests. -
b4a39d9
Raise SQLParseError instead of RecursionError. -
f1bcf2f
Update AUHTORS and Changelog. -
e03b74e
Fix Function.get_parameters(), add Funtion.get_window() -
617b8f6
Add OVER clause, and group it into Function (fixes #701) -
d8f8147
Update AUHTORS and Changelog. -
012c9f1
Optimize sqlparse.utils.imt(). -
46971e5
Fix parsing of PRIMARY KEY (fixes #740). -
fc4b0be
Code cleanup. - Additional commits viewable in compare view