A resource-consumption flaw was found in python-sqlparse. The formatter function that strips comments from SQL contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). A network attacker could craft an SQL comment containing numerous repetitions of '\r\n' that could cause exponential backtracking and cause the system to hang.
A resource-consumption flaw was found in python-sqlparse. The formatter function that strips comments from SQL contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). A network attacker could craft an SQL comment containing numerous repetitions of '\r\n' that could cause exponential backtracking and cause the system to hang.
As mitigation, don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool.
Vulmon