[Y4-00010] Prevent JDBC Attack from DriverManager

[4ra1n]

When the JDBC connection string is controllable, some malicious parameters can lead to Remote Code Execution (RCE) vulnerabilities. For example, the autoDeserialize parameter in MySQL's driver causes deserialization operations during connection, and the socketFactory parameter in PostgreSQL, when controllable, can be combined with ClasspathXmlApplicationContext to achieve RCE. Additionally, the INIT=RUNSCRIPT FROM parameter in the H2 driver can execute arbitrary code. Some of these behaviors have been fixed by the driver manufacturers, but many drivers consider them features and do not fix them. Y4-JDK will implement defenses at the underlying level of DriverManager.

当JDBC连接字符串可控时，一些恶意的参数可能导致RCE漏洞。例如MySQL的驱动autoDeserialize参数导致连接时执行反序列化操作，以及PostgreSQL的socketFactory参数可控时配合ClasspathXmlApplicationContext实现RCE，还有H2驱动的INIT=RUNSCRIPT FROM参数可以执行任意代码，这些行为部分已被驱动厂商修复，但更多的驱动认为这是功能不进行修复，Y4-JDK将在DriverManager底层进行防御

Refer to:

• https://blog.pyn3rd.com/2022/06/06/Make-JDBC-Attacks-Brillian-Again-I/
• https://blog.pyn3rd.com/2022/06/02/Make-JDBC-Attacks-Brilliant-Again/
• GHSA-gqpj-wcr3-p88v
• GHSA-v7wg-cpwc-24m4