Add security check for jdbc url in SecurityUtils.java (#5164)

* Add security check for jdbc url in SecurityUtils.java

* Update SecurityUtils.java

* Update SecurityUtils.java

linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java

@@ -79,6 +79,9 @@ public abstract class SecurityUtils {
 
   private static final String JDBC_MYSQL_PROTOCOL = "jdbc:mysql";
 
+  private static final String BLACKLIST_REGEX =
+      "autodeserialize|allowloadlocalinfile|allowurlinlocalinfile|allowloadlocalinfileinpath";
+
   /**
    * check mysql connection params
    *
@@ -118,6 +121,10 @@ public static void checkJdbcConnParams(
 
     // 3. Check params. Mainly vulnerability parameters. Note the url encoding
     checkParams(extraParams);
+
+    // 4. Check url security, especially for the possibility of malicious characters appearing on
+    // the host
+    checkUrlIsSafe(url);
   }
 
   /** @param url */
@@ -283,6 +290,35 @@ private static void checkParams(Map<String, Object> paramsMap) {
     }
   }
 
+  /**
+   * check url is safe
+   *
+   * @param url
+   */
+  public static void checkUrlIsSafe(String url) {
+    try {
+      String lowercaseURL = url.toLowerCase();
+
+      Pattern pattern = Pattern.compile(BLACKLIST_REGEX);
+      Matcher matcher = pattern.matcher(lowercaseURL);
+
+      StringBuilder foundKeywords = new StringBuilder();
+      while (matcher.find()) {
+        if (foundKeywords.length() > 0) {
+          foundKeywords.append(", ");
+        }
+        foundKeywords.append(matcher.group());
+      }
+
+      if (foundKeywords.length() > 0) {
+        throw new LinkisSecurityException(
+            35000, "url contains blacklisted characters: " + foundKeywords);
+      }
+    } catch (Exception e) {
+      throw new LinkisSecurityException(35000, "error occurred during url security check: " + e);
+    }
+  }
+
   private static Map<String, Object> parseMysqlUrlParamsToMap(String paramsUrl) {
     if (StringUtils.isBlank(paramsUrl)) {
       return new LinkedHashMap<>();