diff --git a/fix-cve-2024-4340.patch b/fix-cve-2024-4340.patch new file mode 100644 index 0000000000000000000000000000000000000000..c063e32bd0823fc9d1d9cef7dc875f96ff46eeea --- /dev/null +++ b/fix-cve-2024-4340.patch @@ -0,0 +1,98 @@ +From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001 +From: Andi Albrecht +Date: Sat, 13 Apr 2024 13:59:00 +0200 +Subject: [PATCH] Raise SQLParseError instead of RecursionError. + +--- + CHANGELOG | 5 +++++ + sqlparse/sql.py | 14 +++++++++----- + tests/test_regressions.py | 17 ++++++++++++++++- + 3 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 4e98e7f..6c442c0 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -5,6 +5,11 @@ Notable Changes + + * Drop support for Python 3.5, 3.6, and 3.7. + * Python 3.12 is now supported (pr725, by hugovk). ++* IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion ++ error for deeply nested statements. Instead of recursion error a generic ++ SQLParseError is raised. See the security advisory for details: ++ https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg ++ The vulnerability was discovered by @uriyay-jfrog. Thanks for reporting! + + Enhancements: + +diff --git a/sqlparse/sql.py b/sqlparse/sql.py +index 05e1774..bd5f35b 100644 +--- a/sqlparse/sql.py ++++ b/sqlparse/sql.py +@@ -10,6 +10,7 @@ + import re + + from sqlparse import tokens as T ++from sqlparse.exceptions import SQLParseError + from sqlparse.utils import imt, remove_quotes + + +@@ -209,11 +210,14 @@ class TokenList(Token): + + This method is recursively called for all child tokens. + """ +- for token in self.tokens: +- if token.is_group: +- yield from token.flatten() +- else: +- yield token ++ try: ++ for token in self.tokens: ++ if token.is_group: ++ yield from token.flatten() ++ else: ++ yield token ++ except RecursionError as err: ++ raise SQLParseError('Maximum recursion depth exceeded') from err + + def get_sublists(self): + for token in self.tokens: +diff --git a/tests/test_regressions.py b/tests/test_regressions.py +index 29cb502..1edd3da 100644 +--- a/tests/test_regressions.py ++++ b/tests/test_regressions.py +@@ -1,9 +1,11 @@ + import copy ++import sys + + import pytest + + import sqlparse + from sqlparse import sql, tokens as T ++from sqlparse.exceptions import SQLParseError + + + def test_issue9(): +@@ -449,4 +451,17 @@ def test_copy_issue672(): + def test_primary_key_issue740(): + p = sqlparse.parse('PRIMARY KEY')[0] + assert len(p.tokens) == 1 +- assert p.tokens[0].ttype == T.Keyword +\ No newline at end of file ++ assert p.tokens[0].ttype == T.Keyword ++ ++ ++@pytest.fixture ++def limit_recursion(): ++ curr_limit = sys.getrecursionlimit() ++ sys.setrecursionlimit(70) ++ yield ++ sys.setrecursionlimit(curr_limit) ++ ++ ++def test_max_recursion(limit_recursion): ++ with pytest.raises(SQLParseError): ++ sqlparse.parse('[' * 100 + ']' * 100) +-- +2.23.0 + diff --git a/python-sqlparse.spec b/python-sqlparse.spec index 8f7e974a17f3fbb8a3b859e6f9907a7711c93e2f..99480c3f2fcaec6b00f462b2bb0456afd5b4b1ce 100644 --- a/python-sqlparse.spec +++ b/python-sqlparse.spec @@ -3,11 +3,12 @@ Name: python-sqlparse Version: 0.4.4 -Release: 1 +Release: 2 Summary: A non-validating SQL parser. License: BSD-3-Clause URL: https://github.com/andialbrecht/sqlparse Source0: https://github.com/andialbrecht/%{shortname}/archive/%{version}/%{shortname}-%{version}.tar.gz +Patch0: fix-cve-2024-4340.patch BuildArch: noarch %description @@ -48,6 +49,9 @@ A non-validating SQL parser. %{_bindir}/sqlformat %changelog +* Mon May 6 2024 kouwenqi - 0.4.4-2 +- fix CVE-2024-4340 + * Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.4-1 - Update package to version 0.4.4 - Fix CVE-2023-30608