CVE-2023-30608

Advisory

Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service).
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2

Affected package

Affected versions

Fixed versions

Vulnerability changelog

----------------------------

Notable Changes

* IMPORTANT: This release fixes a security vulnerability in the
parser where a regular expression vulnerable to ReDOS (Regular
Expression Denial of Service) was used. See the security advisory
for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
The vulnerability was discovered by erik-krogh from GitHub
Security Lab (GHSL). Thanks for reporting!

Bug Fixes

* Revert a change from 0.4.0 that changed IN to be a comparison (issue694).
The primary expectation is that IN is treated as a keyword and not as a
comparison operator. That also follows the definition of reserved keywords
for the major SQL syntax definitions.
* Fix regular expressions for string parsing.

Other

* sqlparse now uses pyproject.toml instead of setup.cfg (issue685).

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30608
• https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
• https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
• https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
• https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html