CVE-2021-32839

Advisory

Sqlparse version 0.4.2 includes a fix for CVE-2021-32839: In sqlparse versions 0.4.0 and 0.4.1 there is a Regular Expression Denial of Service vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of "\r\n" in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround, avoid using the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool.
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb

Affected package

Affected versions

Fixed versions

Vulnerability changelog

----------------------------

Notable Changes

* IMPORTANT: This release fixes a security vulnerability in the
strip comments filter. In this filter a regular expression that was
vulnerable to ReDOS (Regular Expression Denial of Service) was
used. See the security advisory for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
The vulnerability was discovered by erik-krogh and yoff from
GitHub Security Lab (GHSL). Thanks for reporting!

Enhancements

* Add ELSIF as keyword (issue584).
* Add CONFLICT and ON_ERROR_STOP keywords (pr595, by j-martin).

Bug Fixes

* Fix parsing of backticks (issue588).
* Fix parsing of scientific number (issue399).

Resources

• https://pypi.org/project/sqlparse
• https://pyup.io/changelogs/sqlparse/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32839
• https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb
• https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf