PaulGarewal
commented
1 month ago @renovate ignore this minor
Closed renovate[bot] closed 1 month ago
PaulGarewal
commented
1 month ago @renovate ignore this minor
renovate[bot]
commented
1 month ago Because you closed this PR without merging, Renovate will ignore this update (==0.5.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
DerekRoberts
commented
1 month ago @PaulGarewal Why are you closing instead of (solving and) merging updates? If this project were more stable that'd be inadvisable. @fergmac
This PR contains the following updates:
==0.4.4->==0.5.0GitHub Vulnerability Alerts
CVE-2024-4340
Summary
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Details + PoC
Running the following code will raise Maximum recursion limit exceeded exception:
We expect a traceback of RecursionError:
Fix suggestion
The flatten() function of TokenList class should limit the recursion to a maximal depth:
Impact
Denial of Service (the impact depends on the use). Anyone parsing a user input with sqlparse.parse() is affected.
Release Notes
andialbrecht/sqlparse (sqlparse)
### [`v0.5.0`](https://redirect.github.com/andialbrecht/sqlparse/blob/HEAD/CHANGELOG#Release-050-Apr-13-2024) [Compare Source](https://redirect.github.com/andialbrecht/sqlparse/compare/0.4.4...0.5.0) Notable Changes - Drop support for Python 3.5, 3.6, and 3.7. - Python 3.12 is now supported (pr725, by hugovk). - IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion error for deeply nested statements. Instead of recursion error a generic SQLParseError is raised. See the security advisory for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg The vulnerability was discovered by [@uriyay-jfrog](https://redirect.github.com/uriyay-jfrog). Thanks for reporting! Enhancements: - Splitting statements now allows to remove the semicolon at the end. Some database backends love statements without semicolon (issue742). - Support TypedLiterals in get_parameters (pr649, by Khrol). - Improve splitting of Transact SQL when using GO keyword (issue762). - Support for some JSON operators (issue682). - Improve formatting of statements containing JSON operators (issue542). - Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo). - Support parsing of OVER clause (issue701, pr768 by r33s3n6). Bug Fixes - Ignore dunder attributes when creating Tokens (issue672). - Allow operators to precede dollar-quoted strings (issue763). - Fix parsing of nested order clauses (issue745, pr746 by john-bodley). - Thread-safe initialization of Lexer class (issue730). - Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719 by josuc1, thanks for bringing this up!). - Fix parsing of PRIMARY KEY (issue740). Other - Optimize performance of matching function (pr799, by admachainz).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
Thanks for the PR!
Deployments, as required, will be available below:
Please create PRs in draft mode. Mark as ready to enable:
After merge, new images are deployed in: