search

andialbrecht / sqlparse

A non-validating SQL parser module for Python
BSD 3-Clause "New" or "Revised" License
3.63k stars 685 forks source link

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. #771

Closed shashank10456 closed 1 month ago

shashank10456 commented 1 month ago

Describe the bug Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. Getting CVE issue due to this.

To Reproduce Steps to reproduce the behavior. Please give code examples or concete SQL statements. Take care of not posting any sensitive information when pasting SQL statements! What's the concrete error / traceback. https://github.com/advisories/GHSA-2m57-hf25-phgg

Expected behavior Should gracefully throw an exception with clear message instead of failing abruptly.

Versions (please complete the following information):

Additional context Add any other context about the problem here.

https://nvd.nist.gov/vuln/detail/CVE-2024-4340 https://github.com/advisories/GHSA-2m57-hf25-phgg

andialbrecht commented 1 month ago

This has been fixed in 0.5.0.