From fd93ddbe2b38c49f8d723c2ea95f3fcb2aa0b17e Mon Sep 17 00:00:00 2001
From: hailin0 <wanghailin@apache.org>
Date: Wed, 12 Jun 2024 12:04:44 +0800
Subject: [PATCH] [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc

link
https://github.com/apache/security-site/commit/5a193b7e29dc616d019784ca9fbf1671f3f0b4d2
---
 .../mysql/jdbc/MysqlJdbcDataSourceChannel.java      | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
index 78a7f62e9..24e863b28 100644
--- a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
+++ b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
@@ -187,11 +188,15 @@ private Connection getConnection(Map<String, String> requestParams, String datab
         String url =
                 JdbcUtils.replaceDatabase(
                         requestParams.get(MysqlOptionRule.URL.key()), databaseName);
+
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
         if (requestParams.containsKey(MysqlOptionRule.USER.key())) {
-            String username = requestParams.get(MysqlOptionRule.USER.key());
-            String password = requestParams.get(MysqlOptionRule.PASSWORD.key());
-            return DriverManager.getConnection(url, username, password);
+            info.put("user", requestParams.get(MysqlOptionRule.USER.key()));
+            info.put("password", requestParams.get(MysqlOptionRule.PASSWORD.key()));
         }
-        return DriverManager.getConnection(url);
+        return DriverManager.getConnection(url, info);
     }
 }