security: fix mysql jdbc deserialization security vulnerability (#912)

Co-authored-by: IL MARE <yh263208@oceanbase.com>

Author: PeachThinking

server/odc-service/src/main/java/com/oceanbase/odc/service/session/factory/DruidDataSourceFactory.java

@@ -92,6 +92,7 @@ private void init(DruidDataSource dataSource) {
         properties.setProperty("allowLoadLocalInfile", "false");
         properties.setProperty("allowUrlInLocalInfile", "false");
         properties.setProperty("allowLoadLocalInfileInPath", "");
+        properties.setProperty("autoDeserialize", "false");
         dataSource.setConnectProperties(properties);
         try {
             setConnectAndSocketTimeoutFromJdbcUrl(dataSource);

server/odc-service/src/main/java/com/oceanbase/odc/service/session/factory/OBConsoleDataSourceFactory.java

@@ -180,6 +180,8 @@ public static Map<String, String> getJdbcParams(@NonNull ConnectionConfig connec
         // fix arbitrary file reading vulnerability
         jdbcUrlParams.put("allowLoadLocalInfile", "false");
         jdbcUrlParams.put("allowUrlInLocalInfile", "false");
+        jdbcUrlParams.put("allowLoadLocalInfileInPath", "");
+        jdbcUrlParams.put("autoDeserialize", "false");
         return jdbcUrlParams;
     }
 
@@ -198,6 +200,7 @@ public DataSource getDataSource() {
         properties.setProperty("allowLoadLocalInfile", "false");
         properties.setProperty("allowUrlInLocalInfile", "false");
         properties.setProperty("allowLoadLocalInfileInPath", "");
+        properties.setProperty("autoDeserialize", "false");
         dataSource.setConnectionProperties(properties);
         if (autoCommit != null) {
             dataSource.setAutoCommit(autoCommit);

server/plugins/connect-plugin-mysql/src/main/java/com/oceanbase/odc/plugin/connect/mysql/MySQLConnectionExtension.java

@@ -71,6 +71,7 @@ public TestResult test(String jdbcUrl, String username, String password, int que
         properties.setProperty("allowLoadLocalInfile", "false");
         properties.setProperty("allowUrlInLocalInfile", "false");
         properties.setProperty("allowLoadLocalInfileInPath", "");
+        properties.setProperty("autoDeserialize", "false");
         TestResult testResult = test(jdbcUrl, properties, queryTimeout);
         if (testResult.getErrorCode() != null) {
             return testResult;