Update dependency sqlparse to v0.5.0 [SECURITY] #50
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==0.3.1
->==0.5.0
GitHub Vulnerability Alerts
CVE-2023-30608
Impact
The SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).
Patches
This issues has been fixed in sqlparse 0.4.4.
Workarounds
None.
References
This issue was discovered and reported by GHSL team member @erik-krogh (Erik Krogh Kristensen).
CVE-2024-4340
Summary
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Details + PoC
Running the following code will raise Maximum recursion limit exceeded exception:
We expect a traceback of RecursionError:
Fix suggestion
The flatten() function of TokenList class should limit the recursion to a maximal depth:
Impact
Denial of Service (the impact depends on the use).
Anyone parsing a user input with sqlparse.parse() is affected.
Release Notes
andialbrecht/sqlparse (sqlparse)
v0.5.0
Compare Source
Notable Changes
error for deeply nested statements. Instead of recursion error a generic
SQLParseError is raised. See the security advisory for details:
GHSA-2m57-hf25-phgg
The vulnerability was discovered by @uriyay-jfrog. Thanks for reporting!
Enhancements:
Some database backends love statements without semicolon (issue742).
Bug Fixes
by josuc1, thanks for bringing this up!).
Other
v0.4.4
Compare Source
Notable Changes
parser where a regular expression vulnerable to ReDOS (Regular
Expression Denial of Service) was used. See the security advisory
for details: GHSA-rrm6-wvj7-cwh2
The vulnerability was discovered by @erik-krogh from GitHub
Security Lab (GHSL). Thanks for reporting!
Bug Fixes
The primary expectation is that IN is treated as a keyword and not as a
comparison operator. That also follows the definition of reserved keywords
for the major SQL syntax definitions.
Other
v0.4.3
Compare Source
Enhancements
Bug Fixes
Other
v0.4.2
Compare Source
Notable Changes
strip comments filter. In this filter a regular expression that was
vulnerable to ReDOS (Regular Expression Denial of Service) was
used. See the security advisory for details: GHSA-p5w8-wqhj-9hhf
The vulnerability was discovered by @erik-krogh and @yoff from
GitHub Security Lab (GHSL). Thanks for reporting!
Enhancements
Bug Fixes
v0.4.1
Compare Source
Bug Fixes
v0.4.0
Compare Source
Notable Changes
required.
statements anymore. Code that ignored the last element from
sqlparse.split() should be updated accordingly since that function
now doesn't return an empty string as the last element in some
cases (issue496).
Enhancements
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.