!33 [sync] PR-28: Fix CVE-2024-4340

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
2024-05-06 07:21:34 +00:00 · 2024-05-06 07:21:34 +00:00 · 53760b2eea
commit 53760b2eea
parent 12193ba6ad 419f8bfe6f
2 changed files with 83 additions and 2 deletions
--- a/CVE-2024-4340.patch
+++ b/CVE-2024-4340.patch
@ -0,0 +1,77 @@
+From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Sat, 13 Apr 2024 13:59:00 +0200
+Subject: [PATCH] Raise SQLParseError instead of RecursionError.
+
+Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
+
+---
+ sqlparse/sql.py           | 14 +++++++++-----
+ tests/test_regressions.py | 14 ++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/sqlparse/sql.py b/sqlparse/sql.py
+index 1ccfbdb..2090621 100644
+--- a/sqlparse/sql.py
+++ b/sqlparse/sql.py
+@@ -10,6 +10,7 @@
+ import re
+ 
+ from sqlparse import tokens as T
+from sqlparse.exceptions import SQLParseError
+ from sqlparse.utils import imt, remove_quotes
+ 
+ 
+@@ -209,11 +210,14 @@ class TokenList(Token):
+ 
+         This method is recursively called for all child tokens.
+         """
+-        for token in self.tokens:
+-            if token.is_group:
+-                yield from token.flatten()
+-            else:
+-                yield token
+        try:
+            for token in self.tokens:
+                if token.is_group:
+                    yield from token.flatten()
+                else:
+                    yield token
+        except RecursionError as err:
+            raise SQLParseError('Maximum recursion depth exceeded') from err
+ 
+     def get_sublists(self):
+         for token in self.tokens:
+diff --git a/tests/test_regressions.py b/tests/test_regressions.py
+index bc8b7dd..33162f1 100644
+--- a/tests/test_regressions.py
+++ b/tests/test_regressions.py
+@@ -1,7 +1,9 @@
+ import pytest
+import sys
+ 
+ import sqlparse
+ from sqlparse import sql, tokens as T
+from sqlparse.exceptions import SQLParseError
+ 
+ 
+ def test_issue9():
+@@ -436,3 +438,15 @@ def test_comment_between_cte_clauses_issue632():
+              baz AS ()
+         SELECT * FROM baz;""")
+     assert p.get_type() == "SELECT"
+
+@pytest.fixture
+def limit_recursion():
+    curr_limit = sys.getrecursionlimit()
+    sys.setrecursionlimit(70)
+    yield
+    sys.setrecursionlimit(curr_limit)
+
+
+def test_max_recursion(limit_recursion):
+    with pytest.raises(SQLParseError):
+        sqlparse.parse('[' * 100 + ']' * 100)
+-- 
+2.33.0
+
--- a/python-sqlparse.spec
+++ b/python-sqlparse.spec
@ -3,11 +3,12 @@

 Name:           python-sqlparse
 Version:        0.4.4
-Release:        1
+Release:        2
 Summary:        A non-validating SQL parser.
 License:        BSD-3-Clause
 URL:            https://github.com/andialbrecht/sqlparse
 Source0:        https://github.com/andialbrecht/%{shortname}/archive/%{version}/%{shortname}-%{version}.tar.gz
+Patch0:         CVE-2024-4340.patch
 BuildArch:      noarch

 %description
@ -30,7 +31,7 @@ BuildRequires:  python3-flit
 A non-validating SQL parser.

 %prep
-%autosetup -n sqlparse-%{version}
+%autosetup -n sqlparse-%{version} -p1

 %build
 %pyproject_build
@ -48,6 +49,9 @@ A non-validating SQL parser.
 %{_bindir}/sqlformat

 %changelog
+* Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.4-2
+- Fix CVE-2024-4340
+
 * Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.4-1
 - Update package to version 0.4.4
 - Fix CVE-2023-30608