!29 Fix CVE-2024-4340

From: @wk333 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

CVE-2023-30608.patch

@@ -0,0 +1,49 @@
+From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Mon, 20 Mar 2023 08:33:46 +0100
+Subject: [PATCH] Remove unnecessary parts in regex for bad escaping.
+
+The regex tried to deal with situations where escaping in the
+SQL to be parsed was suspicious.
+
+From : https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
+
+---
+ sqlparse/keywords.py | 4 ++--
+ tests/test_split.py  | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py
+index 9c37e50..2017b6c 100644
+--- a/sqlparse/keywords.py
++++ b/sqlparse/keywords.py
+@@ -67,9 +67,9 @@ SQL_REGEX = {
+         (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
+          tokens.Number.Float),
+         (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
+-        (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
++        (r"'(''|\\'|[^'])*'", tokens.String.Single),
+         # not a real string literal in ANSI SQL:
+-        (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
++        (r'"(""|\\"|[^"])*"', tokens.String.Symbol),
+         (r'(""|".*?[^\\]")', tokens.String.Symbol),
+         # sqlite names can be escaped with [square brackets]. left bracket
+         # cannot be preceded by word character or a right bracket --
+diff --git a/tests/test_split.py b/tests/test_split.py
+index a93e3d4..bcc96cf 100644
+--- a/tests/test_split.py
++++ b/tests/test_split.py
+@@ -20,8 +20,8 @@ def test_split_semicolon():
+ 
+ 
+ def test_split_backslash():
+-    stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
+-    assert len(stmts) == 3
++    stmts = sqlparse.parse("select '\'; select '\'';")
++    assert len(stmts) == 2
+ 
+ 
+ @pytest.mark.parametrize('fn', ['function.sql',
+-- 
+2.33.0
+

CVE-2024-4340.patch

@@ -0,0 +1,77 @@
+From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Sat, 13 Apr 2024 13:59:00 +0200
+Subject: [PATCH] Raise SQLParseError instead of RecursionError.
+
+Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
+
+---
+ sqlparse/sql.py           | 14 +++++++++-----
+ tests/test_regressions.py | 14 ++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/sqlparse/sql.py b/sqlparse/sql.py
+index 1ccfbdb..2090621 100644
+--- a/sqlparse/sql.py
++++ b/sqlparse/sql.py
+@@ -10,6 +10,7 @@
+ import re
+ 
+ from sqlparse import tokens as T
++from sqlparse.exceptions import SQLParseError
+ from sqlparse.utils import imt, remove_quotes
+ 
+ 
+@@ -209,11 +210,14 @@ class TokenList(Token):
+ 
+         This method is recursively called for all child tokens.
+         """
+-        for token in self.tokens:
+-            if token.is_group:
+-                yield from token.flatten()
+-            else:
+-                yield token
++        try:
++            for token in self.tokens:
++                if token.is_group:
++                    yield from token.flatten()
++                else:
++                    yield token
++        except RecursionError as err:
++            raise SQLParseError('Maximum recursion depth exceeded') from err
+ 
+     def get_sublists(self):
+         for token in self.tokens:
+diff --git a/tests/test_regressions.py b/tests/test_regressions.py
+index bc8b7dd..33162f1 100644
+--- a/tests/test_regressions.py
++++ b/tests/test_regressions.py
+@@ -1,7 +1,9 @@
+ import pytest
++import sys
+ 
+ import sqlparse
+ from sqlparse import sql, tokens as T
++from sqlparse.exceptions import SQLParseError
+ 
+ 
+ def test_issue9():
+@@ -436,3 +438,15 @@ def test_splitting_at_and_backticks_issue588():
+         'grant foo to user1@`myhost`; grant bar to user1@`myhost`;')
+     assert len(splitted) == 2
+     assert splitted[-1] == 'grant bar to user1@`myhost`;'
++
++@pytest.fixture
++def limit_recursion():
++    curr_limit = sys.getrecursionlimit()
++    sys.setrecursionlimit(80)
++    yield
++    sys.setrecursionlimit(curr_limit)
++
++
++def test_max_recursion(limit_recursion):
++    with pytest.raises(SQLParseError):
++        sqlparse.parse('[' * 100 + ']' * 100)
+-- 
+2.33.0
+

python-sqlparse.spec

@@ -1,45 +1,48 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-sqlparse
-Version:	0.3.1
-Release:	1
-Summary:	Non-validating SQL parser
-License:	BSD
+Version:        0.4.2
+Release:        3
+Summary:        A non-validating SQL parser.
+License:        BSD-3-Clause
 URL:            https://github.com/andialbrecht/sqlparse
-Source0:	https://files.pythonhosted.org/packages/67/4b/253b6902c1526885af6d361ca8c6b1400292e649f0e9c95ee0d2e8ec8681/sqlparse-0.3.1.tar.gz
+Source0:        https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz
+Patch001:       CVE-2023-30608.patch
+Patch002:       CVE-2024-4340.patch
 BuildArch:      noarch
 
-
 %description
-``sqlparse`` is a non-validating SQL parser module.
-It provides support for parsing, splitting and formatting SQL statements.
-
+A non-validating SQL parser.
 
 %package -n python3-sqlparse
-Summary:	Non-validating SQL parser
+Summary:        A non-validating SQL parser.
 Provides:       python-sqlparse
+# Base build requires
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
-%description -n python3-sqlparse
-``sqlparse`` is a non-validating SQL parser module.
-It provides support for parsing, splitting and formatting SQL statements.
+BuildRequires:  python3-pbr
+BuildRequires:  python3-pip
+BuildRequires:  python3-wheel
+BuildRequires:  python3-pytest
 
+%description -n python3-sqlparse
+A non-validating SQL parser.
 
 %package help
-Summary:	Development documents and examples for sqlparse
+Summary:        A non-validating SQL parser.
 Provides:       python3-sqlparse-doc
-%description help
-``sqlparse`` is a non-validating SQL parser module.
-It provides support for parsing, splitting and formatting SQL statements.
 
+%description help
+A non-validating SQL parser.
 
 %prep
-%autosetup -n sqlparse-0.3.1
+%autosetup -n sqlparse-%{version} -p1
 
 %build
 %py3_build
 
 %install
 %py3_install
+
 install -d -m755 %{buildroot}/%{_pkgdocdir}
 if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
 if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
@@ -66,6 +69,9 @@ popd
 mv %{buildroot}/filelist.lst .
 mv %{buildroot}/doclist.lst .
 
+%check
+%{__python3} -m pytest
+
 %files -n python3-sqlparse -f filelist.lst
 %dir %{python3_sitelib}/*
 
@@ -73,5 +79,20 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.2-3
+- Fix CVE-2024-4340
+
+* Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.2-2
+- Fix CVE-2023-30608
+
+* Tue Oct 25 2022 yaoxin <yaoxin30@h-partners.com> - 0.4.2-1
+- Upgrade to 0.4.2
+
+* Mon Oct 11 2021 houyingchao <houyingchao@huawei.com> - 0.4.1-2
+- Fix CVE-2021-32839
+
+* Fri Aug 06 2021 OpenStack_SIG <openstack@openeuler.org> - 0.4.1-1
+- Upgrade version to 0.4.1
+
 * Sun Jul 12 2020 Python_Bot <Python_Bot@openeuler.org>
 - Package Spec generated