Skip to content

Commit

Permalink
Remove unnecessary parts in regex for bad escaping.
Browse files Browse the repository at this point in the history
The regex tried to deal with situations where escaping in the
SQL to be parsed was suspicious.
  • Loading branch information
andialbrecht committed Apr 18, 2023
1 parent b949fdf commit c457abd
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 4 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,12 +1,22 @@
Development Version
-------------------

Notable Changes

* IMPORTANT: This release fixes a security vulnerability in the
parser where a regular expression vulnerable to ReDOS (Regular
Expression Denial of Service) was used. See the security advisory
for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
The vulnerability was discovered by @erik-krogh from GitHub
Security Lab (GHSL). Thanks for reporting!

Bug Fixes

* Revert a change from 0.4.0 that changed IN to be a comparison (issue694).
The primary expectation is that IN is treated as a keyword and not as a
comparison operator. That also follows the definition of reserved keywords
for the major SQL syntax definitions.
* Fix regular expressions for string parsing.

Other

Expand Down
4 changes: 2 additions & 2 deletions sqlparse/keywords.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@
(r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
tokens.Number.Float),
(r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
(r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
(r"'(''|\\'|[^'])*'", tokens.String.Single),
# not a real string literal in ANSI SQL:
(r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
(r'"(""|\\"|[^"])*"', tokens.String.Symbol),
(r'(""|".*?[^\\]")', tokens.String.Symbol),
# sqlite names can be escaped with [square brackets]. left bracket
# cannot be preceded by word character or a right bracket --
Expand Down
4 changes: 2 additions & 2 deletions tests/test_split.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ def test_split_semicolon():


def test_split_backslash():
stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
assert len(stmts) == 3
stmts = sqlparse.parse("select '\'; select '\'';")

This comment has been minimized.

Copy link
@mcepl

mcepl May 25, 2023

@andialbrecht Are you certain that this really shouldn’t be r-string?

assert len(stmts) == 2


@pytest.mark.parametrize('fn', ['function.sql',
Expand Down

0 comments on commit c457abd

Please sign in to comment.