DBZ-6157 Disable potentially dangerous MySQL JDBC props

debezium-connector-mysql/src/main/java/io/debezium/connector/mysql/MySqlConnection.java

@@ -524,6 +524,13 @@ public MySqlConnectionConfiguration(Configuration config) {
 
             jdbcConfigBuilder.with(JDBC_PROPERTY_CONNECTION_TIME_ZONE, determineConnectionTimeZone(dbConfig));
 
+            // Set and remove options to prevent potential vulnerabilities
+            jdbcConfigBuilder
+                    .with("allowLoadLocalInfile", "false")
+                    .with("allowUrlInLocalInfile", "false")
+                    .with("autoDeserialize", false)
+                    .without("queryInterceptors");
+
             this.jdbcConfig = JdbcConfiguration.adapt(jdbcConfigBuilder.build());
             String driverClassName = this.jdbcConfig.getString(MySqlConnectorConfig.JDBC_DRIVER);
             factory = JdbcConnection.patternBasedFactory(MySqlConnection.URL_PATTERN, driverClassName, getClass().getClassLoader());

debezium-connector-sqlserver/src/main/java/io/debezium/connector/sqlserver/SqlServerJdbcConfiguration.java

@@ -97,6 +97,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<SqlServerJdbcConfiguration.Builder> function) {
                 function.accept(this);
@@ -148,6 +154,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<SqlServerJdbcConfiguration.Builder> function) {
                 function.accept(this);

debezium-core/src/main/java/io/debezium/config/Configuration.java

@@ -475,6 +475,14 @@ default B withDefault(Field field, Class<?> value) {
             return withDefault(field.name(), value != null ? value.getName() : null);
         }
 
+        /**
+         * Remove the value associated with the specified key.
+         *
+         * @param key the key
+         * @return this builder object so methods can be chained together; never null
+         */
+        B without(String key);
+
         /**
          * Apply the function to this builder.
          *
@@ -691,6 +699,12 @@ public Builder withDefault(String key, String value) {
             return this;
         }
 
+        @Override
+        public Builder without(String key) {
+            props.remove(key);
+            return this;
+        }
+
         @Override
         public Builder apply(Consumer<Builder> function) {
             function.accept(this);

debezium-core/src/main/java/io/debezium/jdbc/JdbcConfiguration.java

@@ -213,6 +213,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<Builder> function) {
                 function.accept(this);
@@ -264,6 +270,12 @@ public Builder withDefault(String key, String value) {
                 return this;
             }
 
+            @Override
+            public Builder without(String key) {
+                builder.without(key);
+                return this;
+            }
+
             @Override
             public Builder apply(Consumer<Builder> function) {
                 function.accept(this);