From 419f8bfe6fc6e37c69f8642e2e73776b40fa98ef Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 6 May 2024 10:15:26 +0800 Subject: [PATCH] Fix CVE-2024-4340 (cherry picked from commit 08131e4bb8ba38d6bcc8107915f8552213d81962) --- CVE-2024-4340.patch | 77 ++++++++++++++++++++++++++++++++++++++++++++ python-sqlparse.spec | 8 +++-- 2 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 CVE-2024-4340.patch diff --git a/CVE-2024-4340.patch b/CVE-2024-4340.patch new file mode 100644 index 0000000..74652f2 --- /dev/null +++ b/CVE-2024-4340.patch @@ -0,0 +1,77 @@ +From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001 +From: Andi Albrecht +Date: Sat, 13 Apr 2024 13:59:00 +0200 +Subject: [PATCH] Raise SQLParseError instead of RecursionError. + +Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 + +--- + sqlparse/sql.py | 14 +++++++++----- + tests/test_regressions.py | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 5 deletions(-) + +diff --git a/sqlparse/sql.py b/sqlparse/sql.py +index 1ccfbdb..2090621 100644 +--- a/sqlparse/sql.py ++++ b/sqlparse/sql.py +@@ -10,6 +10,7 @@ + import re + + from sqlparse import tokens as T ++from sqlparse.exceptions import SQLParseError + from sqlparse.utils import imt, remove_quotes + + +@@ -209,11 +210,14 @@ class TokenList(Token): + + This method is recursively called for all child tokens. + """ +- for token in self.tokens: +- if token.is_group: +- yield from token.flatten() +- else: +- yield token ++ try: ++ for token in self.tokens: ++ if token.is_group: ++ yield from token.flatten() ++ else: ++ yield token ++ except RecursionError as err: ++ raise SQLParseError('Maximum recursion depth exceeded') from err + + def get_sublists(self): + for token in self.tokens: +diff --git a/tests/test_regressions.py b/tests/test_regressions.py +index bc8b7dd..33162f1 100644 +--- a/tests/test_regressions.py ++++ b/tests/test_regressions.py +@@ -1,7 +1,9 @@ + import pytest ++import sys + + import sqlparse + from sqlparse import sql, tokens as T ++from sqlparse.exceptions import SQLParseError + + + def test_issue9(): +@@ -436,3 +438,15 @@ def test_comment_between_cte_clauses_issue632(): + baz AS () + SELECT * FROM baz;""") + assert p.get_type() == "SELECT" ++ ++@pytest.fixture ++def limit_recursion(): ++ curr_limit = sys.getrecursionlimit() ++ sys.setrecursionlimit(70) ++ yield ++ sys.setrecursionlimit(curr_limit) ++ ++ ++def test_max_recursion(limit_recursion): ++ with pytest.raises(SQLParseError): ++ sqlparse.parse('[' * 100 + ']' * 100) +-- +2.33.0 + diff --git a/python-sqlparse.spec b/python-sqlparse.spec index 8f7e974..e413436 100644 --- a/python-sqlparse.spec +++ b/python-sqlparse.spec @@ -3,11 +3,12 @@ Name: python-sqlparse Version: 0.4.4 -Release: 1 +Release: 2 Summary: A non-validating SQL parser. License: BSD-3-Clause URL: https://github.com/andialbrecht/sqlparse Source0: https://github.com/andialbrecht/%{shortname}/archive/%{version}/%{shortname}-%{version}.tar.gz +Patch0: CVE-2024-4340.patch BuildArch: noarch %description @@ -30,7 +31,7 @@ BuildRequires: python3-flit A non-validating SQL parser. %prep -%autosetup -n sqlparse-%{version} +%autosetup -n sqlparse-%{version} -p1 %build %pyproject_build @@ -48,6 +49,9 @@ A non-validating SQL parser. %{_bindir}/sqlformat %changelog +* Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.4-2 +- Fix CVE-2024-4340 + * Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.4-1 - Update package to version 0.4.4 - Fix CVE-2023-30608 -- Gitee