!33 [sync] PR-28: Fix CVE-2024-4340

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
Fix CVE-2024-4340
2024-05-06 07:21:34 +00:00 · 2024-05-06 15:04:30 +08:00 · 2023-05-04 08:53:24 +00:00 · 2023-05-04 16:15:26 +08:00 · 2022-12-08 15:00:43 +00:00 · 2022-12-07 14:43:31 +08:00
5 changed files with 110 additions and 99 deletions
--- a/CVE-2021-32839.patch
+++ b/CVE-2021-32839.patch
@ -1,55 +0,0 @@
 From 8238a9e450ed1524e40cb3a8b0b3c00606903aeb Mon Sep 17 00:00:00 2001
 From: Andi Albrecht <albrecht.andi@gmail.com>
 Date: Tue, 7 Sep 2021 12:27:28 +0200
 Subject: [PATCH] Optimize regular expression for identifying line breaks in
 comments.
 ---
 sqlparse/filters/others.py |  5 ++++-
 tests/test_format.py       | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 diff --git a/sqlparse/filters/others.py b/sqlparse/filters/others.py
 index e0e1ca19..6905f2d6 100644
 --- a/sqlparse/filters/others.py
 +++ b/sqlparse/filters/others.py
@@ -22,7 +22,10 @@ def get_next_comment():
         def _get_insert_token(token):
             """Returns either a whitespace or the line breaks from token."""
             # See issue484 why line breaks should be preserved.
 -            m = re.search(r'((\r\n|\r|\n)+) *$', token.value)
 +            # Note: The actual value for a line break is replaced by \n
 +            # in SerializerUnicode which will be executed in the
 +            # postprocessing state.
 +            m = re.search(r'((\r|\n)+) *$', token.value)
             if m is not None:
                 return sql.Token(T.Whitespace.Newline, m.groups()[0])
             else:
 diff --git a/tests/test_format.py b/tests/test_format.py
 index 7117d9d6..70bb8055 100644
 --- a/tests/test_format.py
 +++ b/tests/test_format.py
@@ -84,6 +84,23 @@ def test_strip_comments_multi(self):
         res = sqlparse.format(sql, strip_comments=True)
         assert res == 'select (select 2)'
 +    def test_strip_comments_preserves_linebreak(self):
 +        sql = 'select * -- a comment\r\nfrom foo'
 +        res = sqlparse.format(sql, strip_comments=True)
 +        assert res == 'select *\nfrom foo'
 +        sql = 'select * -- a comment\nfrom foo'
 +        res = sqlparse.format(sql, strip_comments=True)
 +        assert res == 'select *\nfrom foo'
 +        sql = 'select * -- a comment\rfrom foo'
 +        res = sqlparse.format(sql, strip_comments=True)
 +        assert res == 'select *\nfrom foo'
 +        sql = 'select * -- a comment\r\n\r\nfrom foo'
 +        res = sqlparse.format(sql, strip_comments=True)
 +        assert res == 'select *\n\nfrom foo'
 +        sql = 'select * -- a comment\n\nfrom foo'
 +        res = sqlparse.format(sql, strip_comments=True)
 +        assert res == 'select *\n\nfrom foo'
 +
     def test_strip_ws(self):
         f = lambda sql: sqlparse.format(sql, strip_whitespace=True)
         s = 'select\n* from      foo\n\twhere  ( 1 = 2 )\n'
--- a/CVE-2024-4340.patch
+++ b/CVE-2024-4340.patch
@ -0,0 +1,77 @@
 From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
 From: Andi Albrecht <albrecht.andi@gmail.com>
 Date: Sat, 13 Apr 2024 13:59:00 +0200
 Subject: [PATCH] Raise SQLParseError instead of RecursionError.
 Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
 ---
 sqlparse/sql.py           | 14 +++++++++-----
 tests/test_regressions.py | 14 ++++++++++++++
 2 files changed, 23 insertions(+), 5 deletions(-)
 diff --git a/sqlparse/sql.py b/sqlparse/sql.py
 index 1ccfbdb..2090621 100644
 --- a/sqlparse/sql.py
 +++ b/sqlparse/sql.py
@@ -10,6 +10,7 @@
 import re
 from sqlparse import tokens as T
 +from sqlparse.exceptions import SQLParseError
 from sqlparse.utils import imt, remove_quotes
@@ -209,11 +210,14 @@ class TokenList(Token):
         This method is recursively called for all child tokens.
         """
 -        for token in self.tokens:
 -            if token.is_group:
 -                yield from token.flatten()
 -            else:
 -                yield token
 +        try:
 +            for token in self.tokens:
 +                if token.is_group:
 +                    yield from token.flatten()
 +                else:
 +                    yield token
 +        except RecursionError as err:
 +            raise SQLParseError('Maximum recursion depth exceeded') from err
     def get_sublists(self):
         for token in self.tokens:
 diff --git a/tests/test_regressions.py b/tests/test_regressions.py
 index bc8b7dd..33162f1 100644
 --- a/tests/test_regressions.py
 +++ b/tests/test_regressions.py
@@ -1,7 +1,9 @@
 import pytest
 +import sys
 import sqlparse
 from sqlparse import sql, tokens as T
 +from sqlparse.exceptions import SQLParseError
 def test_issue9():
@@ -436,3 +438,15 @@ def test_comment_between_cte_clauses_issue632():
              baz AS ()
         SELECT * FROM baz;""")
     assert p.get_type() == "SELECT"
 +
 +@pytest.fixture
 +def limit_recursion():
 +    curr_limit = sys.getrecursionlimit()
 +    sys.setrecursionlimit(70)
 +    yield
 +    sys.setrecursionlimit(curr_limit)
 +
 +
 +def test_max_recursion(limit_recursion):
 +    with pytest.raises(SQLParseError):
 +        sqlparse.parse('[' * 100 + ']' * 100)
 -- 
 2.33.0
--- a/python-sqlparse.spec
+++ b/python-sqlparse.spec
@ -1,12 +1,14 @@
 %global _empty_manifest_terminate_build 0
 %global shortname sqlparse
 Name:           python-sqlparse
-Version:        0.4.1
+Version:        0.4.4
-Release:        3
+Release:        2
 Summary:        A non-validating SQL parser.
 License:        BSD-3-Clause
 URL:            https://github.com/andialbrecht/sqlparse
-Patch001:	CVE-2021-32839.patch
+Source0:        https://github.com/andialbrecht/%{shortname}/archive/%{version}/%{shortname}-%{version}.tar.gz
-Source0:        https://files.pythonhosted.org/packages/a2/54/da10f9a0235681179144a5ca02147428f955745e9393f859dec8d0d05b41/sqlparse-0.4.1.tar.gz
+Patch0:         CVE-2024-4340.patch
 BuildArch:      noarch
 %description
@ -15,6 +17,7 @@ A non-validating SQL parser.
 %package -n python3-sqlparse
 Summary:        A non-validating SQL parser.
 Provides:       python-sqlparse
 Obsoletes:      python-sqlparse-help < 0.4.4
 # Base build requires
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
@ -22,62 +25,48 @@ BuildRequires:  python3-pbr
 BuildRequires:  python3-pip
 BuildRequires:  python3-wheel
 BuildRequires:  python3-pytest
 BuildRequires:  python3-flit
 %description -n python3-sqlparse
 A non-validating SQL parser.
 %package help
 Summary:        A non-validating SQL parser.
 Provides:       python3-sqlparse-doc
 %description help
 A non-validating SQL parser.
 %prep
 %autosetup -n sqlparse-%{version} -p1
 %build
-%py3_build
+%pyproject_build
 %install
-%py3_install
+%pyproject_install sqlparse==%{version}
 install -d -m755 %{buildroot}/%{_pkgdocdir}
 if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
 if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
 if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
 if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
 pushd %{buildroot}
 if [ -d usr/lib ]; then
    find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 if [ -d usr/lib64 ]; then
    find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 if [ -d usr/bin ]; then
    find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 if [ -d usr/sbin ]; then
    find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 touch doclist.lst
 if [ -d usr/share/man ]; then
    find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
 fi
 popd
 mv %{buildroot}/filelist.lst .
 mv %{buildroot}/doclist.lst .
 %check
 %{__python3} -m pytest
-%files -n python3-sqlparse -f filelist.lst
+%files -n python3-sqlparse
-%dir %{python3_sitelib}/*
+%{python3_sitelib}/*
-
+%doc AUTHORS CHANGELOG README.rst
-%files help -f doclist.lst
+%license LICENSE
-%{_docdir}/*
+%{_bindir}/sqlformat
 %changelog
 * Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.4-2
 - Fix CVE-2024-4340
 * Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.4-1
 - Update package to version 0.4.4
 - Fix CVE-2023-30608
 - Compling package with pyproject
 - Obsoletes subpackage python-sqlparse-help
 * Wed Dec 07 2022 liqiuyu <liqiuyu@kylinos.cn> - 0.4.3-1
 - Update package to version 0.4.3
 * Tue Jun 21 2022 renliang <renliang@uniontech.com> - 0.4.2-2
 - Setup.py does not execute check, To change parameters, Go to check 
 * Fri May 20 2022 renliang <renliang@uniontech.com> - 0.4.2-1
 - Upgrade package python3-sqlparse to version 0.4.2
 * Mon May 9 2022 yaoxin <yaoxin30@h-partners.com> - 0.4.1-3
 - License compliance rectification
--- a/sqlparse-0.4.1.tar.gz
+++ b/sqlparse-0.4.1.tar.gz
--- a/sqlparse-0.4.4.tar.gz
+++ b/sqlparse-0.4.4.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	53760b2eea	!33 [sync] PR-28: Fix CVE-2024-4340 From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530	2024-05-06 07:21:34 +00:00
wk333	419f8bfe6f	Fix CVE-2024-4340 (cherry picked from commit 08131e4bb8ba38d6bcc8107915f8552213d81962)	2024-05-06 15:04:30 +08:00
openeuler-ci-bot	12193ba6ad	!23 Update package to version 0.4.4 From: @wk333 Reviewed-by: @cherry530 Signed-off-by: @cherry530	2023-05-04 08:53:24 +00:00
wk333	89346d484b	Update package to version 0.4.4	2023-05-04 16:15:26 +08:00
openeuler-ci-bot	fd66c0a63d	!17 Update package From: @liqiuyu123 Reviewed-by: @myeuler Signed-off-by: @myeuler	2022-12-08 15:00:43 +00:00
liqiuyu123	13ee63539b	update version to 0.4.3	2022-12-07 14:43:31 +08:00
openeuler-ci-bot	1d9633f883	!15 Setup.py does not execute check, To change parameters, Go to check From: @renliang16 Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-06-22 01:40:52 +00:00
“renliang@uniontech.com”	b126ef3fd3	Setup.py does not execute check, To change parameters, Go to check To change %check parameters, Go to check	2022-06-21 08:23:55 +00:00
openeuler-ci-bot	2405355d53	!13 Update package sqlparse of version 0.4.2 From: @renliang16 Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-05-20 10:40:19 +00:00
renliang16	a0608ced1a	Update package sqlparse of version 0.4.2	2022-05-20 03:38:23 +00:00