Parsing heavily nested list leads to Denial of Service
Description
Hi,
thanks for the feedback! sqlparse now catches the RecursionError and raises
a SQLParseError instead.
And thanks again for reporting!
Andi
Am Di., 19. März 2024 um 12:50 Uhr schrieb Uriya Yavnieli <
***@***.***>:
… Hi,
We agree that catching RecursionError or Exception will be enough to
handle it.
However, we saw some open source projects (such as apache superset
<https://github.com/apache/superset>, home assistant
<https://github.com/home-assistant> and galaxy project
<https://github.com/galaxyproject/galaxy>), that implement a server and
use sqlparse without handling this exception, which in their case might
cause a denial of service.
Probably the maintainers are unaware that this kind of exception might be
raised, so maybe writing it in the documentation might be enough.
—
Reply to this email directly, view it on GitHub
<https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg#advisory-comment-98609>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAGIIAJHH3BVDOWINGR273YZARA3AVCNFSM6AAAAABCFKJF2GVHI2DSMVQWIX3LMV436UTFOBXXG2LUN5ZHSQLEOZUXG33SPFBW63LNMVXHIOZZHA3DAOI>
.
You are receiving this because you are either an administrator on
andialbrecht/sqlparse, or a collaborator on GHSA-2m57-hf25-phgg.Message
ID: <andialbrecht/sqlparse/repository-advisories/30388/comments/98609@
github.com>
|
Summary
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Details + PoC
Running the following code will raise Maximum recursion limit exceeded exception:
We expect a traceback of RecursionError:
Fix suggestion
The flatten() function of TokenList class should limit the recursion to a maximal depth:
Impact
Denial of Service (the impact depends on the use).
Anyone parsing a user input with sqlparse.parse() is affected.