From 58ef4f0b98428cc795c2844eaa6e1762e8248227 Mon Sep 17 00:00:00 2001
From: Jiri Pechanec <jpechane@redhat.com>
Date: Thu, 4 May 2023 09:32:15 +0200
Subject: [PATCH] DBZ-6157 Disable potentially dangerous MySQL JDBC props

---
 .../debezium/connector/mysql/MySqlConnection.java  |  7 +++++++
 .../sqlserver/SqlServerJdbcConfiguration.java      | 12 ++++++++++++
 .../java/io/debezium/config/Configuration.java     | 14 ++++++++++++++
 .../java/io/debezium/jdbc/JdbcConfiguration.java   | 12 ++++++++++++
 4 files changed, 45 insertions(+)

diff --git a/debezium-connector-mysql/src/main/java/io/debezium/connector/mysql/MySqlConnection.java b/debezium-connector-mysql/src/main/java/io/debezium/connector/mysql/MySqlConnection.java
index c444e5214..3fae417c7 100644
--- a/debezium-connector-mysql/src/main/java/io/debezium/connector/mysql/MySqlConnection.java
+++ b/debezium-connector-mysql/src/main/java/io/debezium/connector/mysql/MySqlConnection.java
@@ -524,6 +524,13 @@ public MySqlConnectionConfiguration(Configuration config) {
 
             jdbcConfigBuilder.with(JDBC_PROPERTY_CONNECTION_TIME_ZONE, determineConnectionTimeZone(dbConfig));
 
+            // Set and remove options to prevent potential vulnerabilities
+            jdbcConfigBuilder
+                    .with("allowLoadLocalInfile", "false")
+                    .with("allowUrlInLocalInfile", "false")
+                    .with("autoDeserialize", false)
+                    .without("queryInterceptors");
+
             this.jdbcConfig = JdbcConfiguration.adapt(jdbcConfigBuilder.build());
             String driverClassName = this.jdbcConfig.getString(MySqlConnectorConfig.JDBC_DRIVER);
             factory = JdbcConnection.patternBasedFactory(MySqlConnection.URL_PATTERN, driverClassName, getClass().getClassLoader());
diff --git a/debezium-connector-sqlserver/src/main/java/io/debezium/connector/sqlserver/SqlServerJdbcConfiguration.java b/debezium-connector-sqlserver/src/main/java/io/debezium/connector/sqlserver/SqlServerJdbcConfiguration.java
index 56603ea69..a18d58a36 100644
--- a/debezium-connector-sqlserver/src/main/java/io/debezium/connector/sqlserver/SqlServerJdbcConfiguration.java
+++ b/debezium-connector-sqlserver/src/main/java/io/debezium/connector/sqlserver/SqlServerJdbcConfiguration.java
@@ -97,6 +97,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<SqlServerJdbcConfiguration.Builder> function) {
                 function.accept(this);
@@ -148,6 +154,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<SqlServerJdbcConfiguration.Builder> function) {
                 function.accept(this);
diff --git a/debezium-core/src/main/java/io/debezium/config/Configuration.java b/debezium-core/src/main/java/io/debezium/config/Configuration.java
index 0813fbcf7..978fefc8d 100644
--- a/debezium-core/src/main/java/io/debezium/config/Configuration.java
+++ b/debezium-core/src/main/java/io/debezium/config/Configuration.java
@@ -475,6 +475,14 @@ default B withDefault(Field field, Class<?> value) {
             return withDefault(field.name(), value != null ? value.getName() : null);
         }
 
+        /**
+         * Remove the value associated with the specified key.
+         *
+         * @param key the key
+         * @return this builder object so methods can be chained together; never null
+         */
+        B without(String key);
+
         /**
          * Apply the function to this builder.
          *
@@ -691,6 +699,12 @@ public Builder withDefault(String key, String value) {
             return this;
         }
 
+        @Override
+        public Builder without(String key) {
+            props.remove(key);
+            return this;
+        }
+
         @Override
         public Builder apply(Consumer<Builder> function) {
             function.accept(this);
diff --git a/debezium-core/src/main/java/io/debezium/jdbc/JdbcConfiguration.java b/debezium-core/src/main/java/io/debezium/jdbc/JdbcConfiguration.java
index 558fedf3a..28b79424b 100644
--- a/debezium-core/src/main/java/io/debezium/jdbc/JdbcConfiguration.java
+++ b/debezium-core/src/main/java/io/debezium/jdbc/JdbcConfiguration.java
@@ -213,6 +213,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<Builder> function) {
                 function.accept(this);
@@ -264,6 +270,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<Builder> function) {
                 function.accept(this);