From 7392918d9ce7a4c686539cf44e2840aed09670ba Mon Sep 17 00:00:00 2001
From: hailin0 <wanghailin@apache.org>
Date: Wed, 12 Jun 2024 13:51:37 +0800
Subject: [PATCH] [Hotfix] Fix arbitrary file readvulnerability on mysql cdc
 (#167)

---
 .../plugin/cdc/mysql/MysqlCDCDataSourceChannel.java | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java
index 1cd99d362..e4a00fbdb 100644
--- a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java
+++ b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java
@@ -38,6 +38,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.Set;
 
 public class MysqlCDCDataSourceChannel implements DataSourceChannel {
@@ -154,13 +155,17 @@ protected Connection init(Map<String, String> requestParams) throws SQLException
             throw new DataSourcePluginException("Jdbc url is null");
         }
         String url = requestParams.get(MysqlCDCOptionRule.BASE_URL.key());
+
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
         if (null != requestParams.get(MysqlCDCOptionRule.PASSWORD.key())
                 && null != requestParams.get(MysqlCDCOptionRule.USERNAME.key())) {
-            String username = requestParams.get(MysqlCDCOptionRule.USERNAME.key());
-            String password = requestParams.get(MysqlCDCOptionRule.PASSWORD.key());
-            return DriverManager.getConnection(url, username, password);
+            info.put("user", requestParams.get(MysqlCDCOptionRule.USERNAME.key()));
+            info.put("password", requestParams.get(MysqlCDCOptionRule.PASSWORD.key()));
         }
-        return DriverManager.getConnection(url);
+        return DriverManager.getConnection(url, info);
     }
 
     protected List<String> getDataBaseNames(Map<String, String> requestParams) throws SQLException {