Skip to content
Permalink
Browse files Browse the repository at this point in the history
Remove unnecessary parts in regex for bad escaping.
The regex tried to deal with situations where escaping in the
SQL to be parsed was suspicious.
  • Loading branch information
andialbrecht committed Apr 18, 2023
1 parent b949fdf commit c457abd
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 4 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG
@@ -1,12 +1,22 @@
Development Version
-------------------

Notable Changes

* IMPORTANT: This release fixes a security vulnerability in the
parser where a regular expression vulnerable to ReDOS (Regular
Expression Denial of Service) was used. See the security advisory
for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
The vulnerability was discovered by @erik-krogh from GitHub
Security Lab (GHSL). Thanks for reporting!

Bug Fixes

* Revert a change from 0.4.0 that changed IN to be a comparison (issue694).
The primary expectation is that IN is treated as a keyword and not as a
comparison operator. That also follows the definition of reserved keywords
for the major SQL syntax definitions.
* Fix regular expressions for string parsing.

Other

Expand Down
4 changes: 2 additions & 2 deletions sqlparse/keywords.py
Expand Up @@ -59,9 +59,9 @@
(r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
tokens.Number.Float),
(r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
(r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
(r"'(''|\\'|[^'])*'", tokens.String.Single),
# not a real string literal in ANSI SQL:
(r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
(r'"(""|\\"|[^"])*"', tokens.String.Symbol),
(r'(""|".*?[^\\]")', tokens.String.Symbol),
# sqlite names can be escaped with [square brackets]. left bracket
# cannot be preceded by word character or a right bracket --
Expand Down
4 changes: 2 additions & 2 deletions tests/test_split.py
Expand Up @@ -18,8 +18,8 @@ def test_split_semicolon():


def test_split_backslash():
stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
assert len(stmts) == 3
stmts = sqlparse.parse("select '\'; select '\'';")
assert len(stmts) == 2


@pytest.mark.parametrize('fn', ['function.sql',
Expand Down

0 comments on commit c457abd

Please sign in to comment.