[INLONG-5881][Manager] Fix the vulnerability for the MySQL JDBC URL (…

…addendum) (apache#5893)

inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java

@@ -45,13 +45,11 @@
 @AllArgsConstructor
 public class MySQLSinkDTO {
 
-    @VisibleForTesting
-    protected static final char SYMBOL = '&';
     /**
      * The sensitive param may lead the attack.
      */
-    @VisibleForTesting
-    protected static final String SENSITIVE_PARAM = "autoDeserialize=true";
+    private static final String SENSITIVE_PARAM_TRUE = "autoDeserialize=true";
+    private static final String SENSITIVE_PARAM_FALSE = "autoDeserialize=false";
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
     private static final Logger LOGGER = LoggerFactory.getLogger(MySQLSinkDTO.class);
 
@@ -181,23 +179,17 @@ private static String getDbNameFromUrl(String jdbcUrl) {
      */
     @VisibleForTesting
     protected static String filterSensitive(String url) {
-        if (StringUtils.isBlank(url) || !url.contains(SENSITIVE_PARAM)) {
-            LOGGER.info("string was empty or not contains sensitive for [{}]", url);
+        if (StringUtils.isBlank(url)) {
             return url;
         }
 
-        String originUrl = url;
-        int index = url.indexOf(SENSITIVE_PARAM);
-        String tmp = SENSITIVE_PARAM;
-        if (index == 0) {
-            tmp = tmp + SYMBOL;
-        } else if (url.charAt(index - 1) == SYMBOL) {
-            tmp = SYMBOL + tmp;
+        String resultUrl = url;
+        if (StringUtils.containsIgnoreCase(url, SENSITIVE_PARAM_TRUE)) {
+            resultUrl = StringUtils.replaceIgnoreCase(url, SENSITIVE_PARAM_TRUE, SENSITIVE_PARAM_FALSE);
         }
 
-        url = url.replace(tmp, "");
-        LOGGER.debug("the origin url [{}] was filter to: [{}]", originUrl, url);
-        return url;
+        LOGGER.debug("the origin url [{}] was replaced to: [{}]", url, resultUrl);
+        return resultUrl;
     }
 
 }

inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java

@@ -20,28 +20,25 @@
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 
-import static org.apache.inlong.manager.pojo.sink.mysql.MySQLSinkDTO.SENSITIVE_PARAM;
-import static org.apache.inlong.manager.pojo.sink.mysql.MySQLSinkDTO.SYMBOL;
-
 /**
  * Test for {@link MySQLSinkDTO}
  */
 public class MySQLSinkDTOTest {
 
     @Test
-    public void testFilterOther() {
+    public void testFilterSensitive() {
         // the sensitive params at the first
-        String originUrl = MySQLSinkDTO.filterSensitive(SENSITIVE_PARAM + SYMBOL + "autoReconnect=true");
-        Assertions.assertEquals("autoReconnect=true", originUrl);
+        String originUrl = MySQLSinkDTO.filterSensitive("autoDeserialize=TRue&autoReconnect=true");
+        Assertions.assertEquals("autoDeserialize=false&autoReconnect=true", originUrl);
 
         // the sensitive params at the end
-        originUrl = MySQLSinkDTO.filterSensitive("autoReconnect=true" + SYMBOL + SENSITIVE_PARAM);
-        Assertions.assertEquals("autoReconnect=true", originUrl);
+        originUrl = MySQLSinkDTO.filterSensitive("autoReconnect=true&autoDeserialize=trUE");
+        Assertions.assertEquals("autoReconnect=true&autoDeserialize=false", originUrl);
 
         // the sensitive params in the middle
         originUrl = MySQLSinkDTO.filterSensitive(
-                "useSSL=false" + SYMBOL + SENSITIVE_PARAM + SYMBOL + "autoReconnect=true");
-        Assertions.assertEquals("useSSL=false" + SYMBOL + "autoReconnect=true", originUrl);
+                "useSSL=false&autoDeserialize=TRUE&autoReconnect=true");
+        Assertions.assertEquals("useSSL=false&autoDeserialize=false&autoReconnect=true", originUrl);
     }
 
 }