[Hotfix] Fix arbitrary file readvulnerability on mysql jdbc

link apache/security-site@5a193b7
apache · Jun 12, 2024 · fd93ddb · fd93ddb
1 parent 4a37ebf
commit fd93ddb
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/...in/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java b/...in/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
@@ -187,11 +188,15 @@ private Connection getConnection(Map<String, String> requestParams, String datab
         String url =
                 JdbcUtils.replaceDatabase(
                         requestParams.get(MysqlOptionRule.URL.key()), databaseName);
+
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
         if (requestParams.containsKey(MysqlOptionRule.USER.key())) {
-            String username = requestParams.get(MysqlOptionRule.USER.key());
-            String password = requestParams.get(MysqlOptionRule.PASSWORD.key());
-            return DriverManager.getConnection(url, username, password);
+            info.put("user", requestParams.get(MysqlOptionRule.USER.key()));
+            info.put("password", requestParams.get(MysqlOptionRule.PASSWORD.key()));
         }
-        return DriverManager.getConnection(url);
+        return DriverManager.getConnection(url, info);
     }
 }