Add hard limits for grouping to prevent DoS attacks.

andialbrecht · andialbrecht · commit 40ed3aa95865 · 2025-11-25T16:20:28.000+01:00
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,7 +1,14 @@
 Development Version
 -------------------
 
-Nothing yet.
+Bug Fixes
+
+* Add additional protection against denial of service attacks when parsing
+  very large lists of tuples. This enhances the existing recursion protections
+  with configurable limits for token processing to prevent DoS through
+  algorithmic complexity attacks. The new limits (MAX_GROUPING_DEPTH=100,
+  MAX_GROUPING_TOKENS=10000) can be adjusted or disabled (by setting to None)
+  if needed for legitimate large SQL statements.
 
 
 Release 0.5.3 (Dez 10, 2024)
diff --git a/docs/source/api.rst b/docs/source/api.rst
@@ -73,3 +73,39 @@ The :meth:`~sqlparse.format` function accepts the following keyword arguments.
   If ``True`` comma-first notation for column names is used.
 
 
+Security and Performance Considerations
+---------------------------------------
+
+For developers working with very large SQL statements or in security-sensitive
+environments, sqlparse includes built-in protections against potential denial
+of service (DoS) attacks:
+
+**Grouping Limits**
+  The parser includes configurable limits to prevent excessive resource
+  consumption when processing very large or deeply nested SQL structures:
+
+  - ``MAX_GROUPING_DEPTH`` (default: 100) - Limits recursion depth during token grouping
+  - ``MAX_GROUPING_TOKENS`` (default: 10,000) - Limits the number of tokens processed in a single grouping operation
+
+  These limits can be modified by changing the constants in ``sqlparse.engine.grouping``
+  if your application requires processing larger SQL statements. Set a limit to ``None``
+  to completely disable it. However, increasing these values or disabling limits may
+  expose your application to DoS vulnerabilities when processing untrusted SQL input.
+
+  Example of modifying limits::
+
+    import sqlparse.engine.grouping
+
+    # Increase limits (use with caution)
+    sqlparse.engine.grouping.MAX_GROUPING_DEPTH = 200
+    sqlparse.engine.grouping.MAX_GROUPING_TOKENS = 50000
+
+    # Disable limits completely (use with extreme caution)
+    sqlparse.engine.grouping.MAX_GROUPING_DEPTH = None
+    sqlparse.engine.grouping.MAX_GROUPING_TOKENS = None
+
+.. warning::
+   Increasing the grouping limits or disabling them completely may make your
+   application vulnerable to DoS attacks when processing untrusted SQL input.
+   Only modify these values if you are certain about the source and size of
+   your SQL statements.
diff --git a/sqlparse/engine/grouping.py b/sqlparse/engine/grouping.py
@@ -9,16 +9,35 @@
 from sqlparse import tokens as T
 from sqlparse.utils import recurse, imt
 
+# Maximum recursion depth for grouping operations to prevent DoS attacks
+# Set to None to disable limit (not recommended for untrusted input)
+MAX_GROUPING_DEPTH = 100
+
+# Maximum number of tokens to process in one grouping operation to prevent
+# DoS attacks.
+# Set to None to disable limit (not recommended for untrusted input)
+MAX_GROUPING_TOKENS = 10000
+
 T_NUMERICAL = (T.Number, T.Number.Integer, T.Number.Float)
 T_STRING = (T.String, T.String.Single, T.String.Symbol)
 T_NAME = (T.Name, T.Name.Placeholder)
 
 
-def _group_matching(tlist, cls):
+def _group_matching(tlist, cls, depth=0):
     """Groups Tokens that have beginning and end."""
+    if MAX_GROUPING_DEPTH is not None and depth > MAX_GROUPING_DEPTH:
+        return
+
+    # Limit the number of tokens to prevent DoS attacks
+    if MAX_GROUPING_TOKENS is not None \
+       and len(tlist.tokens) > MAX_GROUPING_TOKENS:
+        return
+
     opens = []
     tidx_offset = 0
-    for idx, token in enumerate(list(tlist)):
+    token_list = list(tlist)
+
+    for idx, token in enumerate(token_list):
         tidx = idx - tidx_offset
 
         if token.is_whitespace:
@@ -31,7 +50,7 @@ def _group_matching(tlist, cls):
             # Check inside previously grouped (i.e. parenthesis) if group
             # of different type is inside (i.e., case). though ideally  should
             # should check for all open/close tokens at once to avoid recursion
-            _group_matching(token, cls)
+            _group_matching(token, cls, depth + 1)
             continue
 
         if token.match(*cls.M_OPEN):
@@ -456,13 +475,23 @@ def _group(tlist, cls, match,
            valid_next=lambda t: True,
            post=None,
            extend=True,
-           recurse=True
+           recurse=True,
+           depth=0
            ):
     """Groups together tokens that are joined by a middle token. i.e. x < y"""
+    if MAX_GROUPING_DEPTH is not None and depth > MAX_GROUPING_DEPTH:
+        return
+
+    # Limit the number of tokens to prevent DoS attacks
+    if MAX_GROUPING_TOKENS is not None \
+       and len(tlist.tokens) > MAX_GROUPING_TOKENS:
+        return
 
     tidx_offset = 0
     pidx, prev_ = None, None
-    for idx, token in enumerate(list(tlist)):
+    token_list = list(tlist)
+
+    for idx, token in enumerate(token_list):
         tidx = idx - tidx_offset
         if tidx < 0:  # tidx shouldn't get negative
             continue
@@ -471,7 +500,8 @@ def _group(tlist, cls, match,
             continue
 
         if recurse and token.is_group and not isinstance(token, cls):
-            _group(token, cls, match, valid_prev, valid_next, post, extend)
+            _group(token, cls, match, valid_prev, valid_next,
+                   post, extend, True, depth + 1)
 
         if match(token):
             nidx, next_ = tlist.token_next(tidx)
diff --git a/tests/test_dos_prevention.py b/tests/test_dos_prevention.py
@@ -0,0 +1,101 @@
+"""Tests for DoS prevention mechanisms in sqlparse."""
+
+import pytest
+import sqlparse
+import time
+
+
+class TestDoSPrevention:
+    """Test cases to ensure sqlparse is protected against DoS attacks."""
+
+    def test_large_tuple_list_performance(self):
+        """Test that parsing a large list of tuples doesn't cause DoS."""
+        # Generate SQL with many tuples (like Django composite primary key queries)
+        sql = '''
+        SELECT "composite_pk_comment"."tenant_id", "composite_pk_comment"."comment_id"
+        FROM "composite_pk_comment"
+        WHERE ("composite_pk_comment"."tenant_id", "composite_pk_comment"."comment_id") IN ('''
+
+        # Generate 5000 tuples - this would previously cause a hang
+        tuples = []
+        for i in range(1, 5001):
+            tuples.append(f"(1, {i})")
+
+        sql += ", ".join(tuples) + ")"
+
+        # Test should complete quickly (under 5 seconds)
+        start_time = time.time()
+        result = sqlparse.format(sql, reindent=True, keyword_case="upper")
+        execution_time = time.time() - start_time
+
+        assert execution_time < 5.0, f"Parsing took too long: {execution_time:.2f}s"
+        assert len(result) > 0, "Result should not be empty"
+        assert "SELECT" in result.upper(), "SQL should be properly formatted"
+
+    def test_deeply_nested_groups_limited(self):
+        """Test that deeply nested groups don't cause stack overflow."""
+        # Create deeply nested parentheses
+        sql = "SELECT " + "(" * 200 + "1" + ")" * 200
+
+        # Should not raise RecursionError
+        result = sqlparse.format(sql, reindent=True)
+        assert "SELECT" in result
+        assert "1" in result
+
+    def test_very_large_token_list_limited(self):
+        """Test that very large token lists are handled gracefully."""
+        # Create a SQL with many identifiers
+        identifiers = []
+        for i in range(15000):  # More than MAX_GROUPING_TOKENS
+            identifiers.append(f"col{i}")
+
+        sql = f"SELECT {', '.join(identifiers)} FROM table1"
+
+        # Should complete without hanging
+        start_time = time.time()
+        result = sqlparse.format(sql, reindent=True)
+        execution_time = time.time() - start_time
+
+        assert execution_time < 10.0, f"Parsing took too long: {execution_time:.2f}s"
+        assert "SELECT" in result
+        assert "FROM" in result
+
+    def test_normal_sql_still_works(self):
+        """Test that normal SQL still works correctly after DoS protections."""
+        sql = """
+        SELECT u.id, u.name, p.title
+        FROM users u
+        JOIN posts p ON u.id = p.user_id
+        WHERE u.active = 1
+        AND p.published_at > '2023-01-01'
+        ORDER BY p.published_at DESC
+        """
+
+        result = sqlparse.format(sql, reindent=True, keyword_case="upper")
+
+        assert "SELECT" in result
+        assert "FROM" in result
+        assert "JOIN" in result
+        assert "WHERE" in result
+        assert "ORDER BY" in result
+
+    def test_reasonable_tuple_list_works(self):
+        """Test that reasonable-sized tuple lists still work correctly."""
+        sql = '''
+        SELECT id FROM table1
+        WHERE (col1, col2) IN ('''
+
+        # 100 tuples should work fine
+        tuples = []
+        for i in range(1, 101):
+            tuples.append(f"({i}, {i * 2})")
+
+        sql += ", ".join(tuples) + ")"
+
+        result = sqlparse.format(sql, reindent=True, keyword_case="upper")
+
+        assert "SELECT" in result
+        assert "WHERE" in result
+        assert "IN" in result
+        assert "1," in result  # First tuple should be there
+        assert "200" in result  # Last tuple should be there
