Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/tacticalrmm/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ qrcode==8.0
redis==5.0.8
requests==2.32.3
six==1.16.0
sqlparse==0.5.1
sqlparse==0.5.5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify sqlparse 0.5.5 exists and check for security advisories

# Check PyPI for the specific version
curl -s https://pypi.org/pypi/sqlparse/0.5.5/json | jq -r '.info.version // "Version not found"'

# Check for security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: PIP, package: "sqlparse") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: flamingo-stack/tacticalrmm

Length of output: 1391


🏁 Script executed:

#!/bin/bash
# Description: Find sqlparse usage to verify exception handling

# Search for sqlparse imports and usage
rg -n --type=py 'import sqlparse|from sqlparse' -A 5

# Search for parse/format calls that might be affected
rg -n --type=py 'sqlparse\.(parse|format|split)' -C 5

Repository: flamingo-stack/tacticalrmm

Length of output: 52


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find any mention/usages of sqlparse anywhere in the repo
rg -n "sqlparse" . || true

Repository: flamingo-stack/tacticalrmm

Length of output: 125


🌐 Web query:

sqlparse 0.5.5 DoS protection raises SQLParseError instead of returning None

💡 Result:

In sqlparse version 0.5.5, a change was implemented to address issue #827, ensuring that the library raises a SQLParseError instead of silently returning None when its Denial of Service (DoS) protection limits are exceeded [1][2]. Background and Reason for Change: Earlier versions (introduced in 0.5.4) added security guards—MAX_GROUPING_DEPTH and MAX_GROUPING_TOKENS—to prevent algorithmic complexity attacks during SQL parsing [1][3]. When these limits were initially hit, the parser would silently return None, which effectively suppressed error reporting and made it difficult for users to diagnose why certain large or complex SQL statements were failing to parse [2][4]. Version 0.5.5 corrected this behavior by explicitly raising a SQLParseError, providing clear feedback such as "Maximum grouping depth exceeded" or "Maximum number of tokens exceeded" [5][2]. Managing Limits: If you encounter these errors while processing legitimate, large SQL statements, you can adjust or disable the protections by modifying the constants in sqlparse.engine.grouping [3][4]. To increase or disable these limits, use: import sqlparse.engine.grouping # Increase limits (use with caution) sqlparse.engine.grouping.MAX_GROUPING_DEPTH = 200 sqlparse.engine.grouping.MAX_GROUPING_TOKENS = 50000 # Disable limits completely (use with extreme caution as this restores DoS vulnerability) sqlparse.engine.grouping.MAX_GROUPING_DEPTH = None sqlparse.engine.grouping.MAX_GROUPING_TOKENS = None It is highly recommended to keep these protections enabled if you are processing untrusted SQL input, as they are designed to prevent resource exhaustion attacks [3][4].

Citations:


Update sqlparse to 0.5.5: DoS handling now raises SQLParseError (check any indirect SQL parsing paths)

  • sqlparse==0.5.5 exists on PyPI; the known security advisories shown for sqlparse are patched by 0.5.5 (e.g., DoS limit issue patched in 0.5.4).
  • In sqlparse 0.5.5, when grouping limits are exceeded, DoS protection now raises SQLParseError instead of returning None.
  • This repo has no direct sqlparse usage (only the dependency entry), so breakage risk is mainly if SQL parsing is done indirectly via other dependencies—exercise a smoke test around any SQL-parsing flows.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/tacticalrmm/requirements.txt` at line 32, Update the dependency line to
ensure sqlparse==0.5.5 is pinned (it already is) and then search the codebase
for any direct or indirect uses of the sqlparse package (search for the token
"sqlparse" and for likely SQL-parsing callsites like functions named parse_*,
format_*, or any migration/SQL rendering helpers) and add exception handling for
sqlparse.exceptions.SQLParseError around those callsites; run smoke tests for
any SQL parsing flows to confirm behavior.

tldextract==5.1.3
twilio==8.13.0
urllib3==2.2.3
Expand Down
Loading