CVE-2021-32839: StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
(updated )
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of ‘\r\n’ in SQL comments.
References
- github.com/advisories/GHSA-p5w8-wqhj-9hhf
- github.com/andialbrecht/sqlparse
- github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb
- github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
- github.com/pypa/advisory-database/tree/main/vulns/sqlparse/PYSEC-2021-333.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-32839
- securitylab.github.com/advisories/GHSL-2021-107-andialbrecht-sqlparse
Code Behaviors & Features
Detect and mitigate CVE-2021-32839 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →