[SECURITY][DS] Complete CVE-2023-49566 fix for non-MySQL JDBC drivers

[aiceflower]

What is the purpose of the change

The CVE-2023-49566 fix shipped earlier only protected the MySQL/StarRocks
SqlConnection implementations. The eight other JDBC driver families used by
the metadata-query / datasource-manager modules still streamed user-supplied
extraParams straight onto the JDBC URL with no allowlist/denylist, so any
authenticated user could inject driver-specific dangerous properties and reach
DriverManager.getConnection with them.

This is the "incomplete fix of CVE-2023-49566" report forwarded by ASF Security
(reporter: greybtw, tested on 1.8.0, CVSS 8.8).

Per-driver sinks reachable before this PR:

Driver	Sink
PostgreSQL / Greenplum / KingBase	socketFactory + socketFactoryArg -> reflective class instantiation -> RCE on PG drivers < 42.2.25 / < 42.3.2
DB2	clientRerouteServerListJNDIName -> JNDI injection (the original CVE-2023-49566 sink)
Oracle	oracle.net.tns_admin / javax.net.ssl.trustStore -> TLS/TNS config hijack
SQL Server	jaasConfigurationName -> JAAS lookup
ClickHouse / DM	covered defensively (no known high-risk param today)

Brief change log

• New linkis-commons/.../utils/JdbcDriverType.java: enum identifying the 10 JDBC driver families.
• linkis-commons/.../utils/SecurityUtils.java: add generic JDBC security layer
  • checkJdbcConnParams(JdbcDriverType, host, port, username, password, database, extraParams) — driver-aware denylist dispatch, URL-decode loop, host-injection guard
  • buildSecureProperties(JdbcDriverType, username, password, extraParams) — builds a Properties bag with driver-specific force-set security defaults first, then credentials, then user params that don't conflict with the force-set keys
  • Per-driver config keys: linkis.jdbc.security.check.enable, linkis.jdbc.{global,postgres,db2,oracle,sqlserver}.blocked.params, linkis.jdbc.{postgres,db2,oracle,sqlserver,clickhouse,dm}.force.params
• All 16 SqlConnection implementations (8 drivers x 2 modules) now:
  1. call SecurityUtils.checkJdbcConnParams(driverType, ...)
  2. obtain the connection via DriverManager.getConnection(url, props) with props = SecurityUtils.buildSecureProperties(...)
  3. never concatenate extraParams onto the URL
• datasource-manager/.../AbstractSqlConnection.java: the (currently orphaned) hard-coded PostgreSQL path is also routed through SecurityUtils so a future revival cannot reintroduce the sink.
• linkis-commons/.../SecurityUtilsTest.java: 10 new unit tests covering
  • per-driver denylist (PG socketFactory, DB2 JNDI, Oracle tns_admin, SQL Server JAAS, global denylist)
  • URL-encoded bypass (%73ocketFactory)
  • host-injection (evil.com:5432/db?socketFactory=x, #, &)
  • force-params-wins semantics (SQL Server trustServerCertificate=false overrides user true)
  • benign params pass through for every driver family

Backward compatibility

• MySQL and StarRocks keep their existing CVE-2023-49566 fix unchanged.
• The new check is on by default (linkis.jdbc.security.check.enable=true); operators who need to disable it temporarily can flip the flag.
• Existing tests (SecurityUtilsTest — 19 tests) all pass.

Checklist

• I have read the Contributing Guidelines on pull requests.
• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible
• If this is a code change: I have written unit tests to fully verify the new behavior.

Note

This is a security fix for a privately-reported issue routed through ASF Security.
Until the PMC triages it, please keep the discussion on the private security
channel rather than the public PR. The PR can stay [WIP] until the embargo lifts.

🤖 Generated with Claude Code

[casionone]

LGTM.