python-sqlparse/CVE-2024-4340.patch

From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
From: Andi Albrecht <albrecht.andi@gmail.com>
Date: Sat, 13 Apr 2024 13:59:00 +0200
Subject: [PATCH] Raise SQLParseError instead of RecursionError.

Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03

---
 sqlparse/sql.py           | 14 +++++++++-----
 tests/test_regressions.py | 14 ++++++++++++++
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/sqlparse/sql.py b/sqlparse/sql.py
index 1ccfbdb..2090621 100644
--- a/sqlparse/sql.py
+++ b/sqlparse/sql.py
@@ -10,6 +10,7 @@
 import re
 
 from sqlparse import tokens as T
+from sqlparse.exceptions import SQLParseError
 from sqlparse.utils import imt, remove_quotes
 
 
@@ -209,11 +210,14 @@ class TokenList(Token):
 
         This method is recursively called for all child tokens.
         """
-        for token in self.tokens:
-            if token.is_group:
-                yield from token.flatten()
-            else:
-                yield token
+        try:
+            for token in self.tokens:
+                if token.is_group:
+                    yield from token.flatten()
+                else:
+                    yield token
+        except RecursionError as err:
+            raise SQLParseError('Maximum recursion depth exceeded') from err
 
     def get_sublists(self):
         for token in self.tokens:
diff --git a/tests/test_regressions.py b/tests/test_regressions.py
index bc8b7dd..33162f1 100644
--- a/tests/test_regressions.py
+++ b/tests/test_regressions.py
@@ -1,7 +1,9 @@
 import pytest
+import sys
 
 import sqlparse
 from sqlparse import sql, tokens as T
+from sqlparse.exceptions import SQLParseError
 
 
 def test_issue9():
@@ -436,3 +438,15 @@ def test_comment_between_cte_clauses_issue632():
              baz AS ()
         SELECT * FROM baz;""")
     assert p.get_type() == "SELECT"
+
+@pytest.fixture
+def limit_recursion():
+    curr_limit = sys.getrecursionlimit()
+    sys.setrecursionlimit(70)
+    yield
+    sys.setrecursionlimit(curr_limit)
+
+
+def test_max_recursion(limit_recursion):
+    with pytest.raises(SQLParseError):
+        sqlparse.parse('[' * 100 + ']' * 100)
-- 
2.33.0
Fix CVE-2024-4340 (cherry picked from commit 08131e4bb8ba38d6bcc8107915f8552213d81962) 2024-05-06 10:15:26 +08:00			`From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001`
			`From: Andi Albrecht <albrecht.andi@gmail.com>`
			`Date: Sat, 13 Apr 2024 13:59:00 +0200`
			`Subject: [PATCH] Raise SQLParseError instead of RecursionError.`

			`Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03`

			`---`
			`sqlparse/sql.py \| 14 +++++++++-----`
			`tests/test_regressions.py \| 14 ++++++++++++++`
			`2 files changed, 23 insertions(+), 5 deletions(-)`

			`diff --git a/sqlparse/sql.py b/sqlparse/sql.py`
			`index 1ccfbdb..2090621 100644`
			`--- a/sqlparse/sql.py`
			`+++ b/sqlparse/sql.py`
			`@@ -10,6 +10,7 @@`
			`import re`

			`from sqlparse import tokens as T`
			`+from sqlparse.exceptions import SQLParseError`
			`from sqlparse.utils import imt, remove_quotes`


			`@@ -209,11 +210,14 @@ class TokenList(Token):`

			`This method is recursively called for all child tokens.`
			`"""`
			`- for token in self.tokens:`
			`- if token.is_group:`
			`- yield from token.flatten()`
			`- else:`
			`- yield token`
			`+ try:`
			`+ for token in self.tokens:`
			`+ if token.is_group:`
			`+ yield from token.flatten()`
			`+ else:`
			`+ yield token`
			`+ except RecursionError as err:`
			`+ raise SQLParseError('Maximum recursion depth exceeded') from err`

			`def get_sublists(self):`
			`for token in self.tokens:`
			`diff --git a/tests/test_regressions.py b/tests/test_regressions.py`
			`index bc8b7dd..33162f1 100644`
			`--- a/tests/test_regressions.py`
			`+++ b/tests/test_regressions.py`
			`@@ -1,7 +1,9 @@`
			`import pytest`
			`+import sys`

			`import sqlparse`
			`from sqlparse import sql, tokens as T`
			`+from sqlparse.exceptions import SQLParseError`


			`def test_issue9():`
			`@@ -436,3 +438,15 @@ def test_comment_between_cte_clauses_issue632():`
			`baz AS ()`
			`SELECT * FROM baz;""")`
			`assert p.get_type() == "SELECT"`
			`+`
			`+@pytest.fixture`
			`+def limit_recursion():`
			`+ curr_limit = sys.getrecursionlimit()`
			`+ sys.setrecursionlimit(70)`
			`+ yield`
			`+ sys.setrecursionlimit(curr_limit)`
			`+`
			`+`
			`+def test_max_recursion(limit_recursion):`
			`+ with pytest.raises(SQLParseError):`
			`+ sqlparse.parse('[' * 100 + ']' * 100)`
			`--`
			`2.33.0`