Sqlparse Project Sqlparse vulnerabilities

CVE-2024-4340 [HIGH] CWE-674 sqlparse parsing heavily nested list leads to Denial of Service sqlparse parsing heavily nested list leads to Denial of Service ### Summary Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. ### Details + PoC Running the following code will raise Maximum recursion limit exceeded exception: ```py import sqlparse sqlparse.parse('[' * 10000 + ']' * 10000) ``` We expect a traceback of RecursionError: ```py Traceback (m

CVE-2023-30608 [HIGH] CWE-1333 CVE-2023-30608: sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser conta sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c

CVE-2021-32839 [HIGH] CWE-400 CVE-2021-32839: sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 ther sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL