another dangerous query param

Author: pjfanning

jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java

@@ -156,6 +156,8 @@ public class JDBCInterpreter extends KerberosInterpreter {
           "KerberosConfigPath", "KerberosKeytabPath", "KerberosCredentialCachePath",
           "extraCredentials", "roles", "sessionProperties"));
 
+  private static final String ALLOW_LOAD_LOCAL = "allowLoadLocal";
+
   private static final String ALLOW_LOAD_LOCAL_IN_FILE_NAME = "allowLoadLocalInfile";
 
   private static final String AUTO_DESERIALIZE = "autoDeserialize";
@@ -594,7 +596,8 @@ private void validateConnectionUrl(String url) {
     String decodedUrl = URLDecoder.decode(url, StandardCharsets.UTF_8);
     Map<String, String> params = parseUrlParameters(decodedUrl);
 
-    if (containsKeyIgnoreCase(params, ALLOW_LOAD_LOCAL_IN_FILE_NAME) ||
+    if (containsKeyIgnoreCase(params, ALLOW_LOAD_LOCAL) ||
+            containsKeyIgnoreCase(params, ALLOW_LOAD_LOCAL_IN_FILE_NAME) ||
             containsKeyIgnoreCase(params, AUTO_DESERIALIZE) ||
             containsKeyIgnoreCase(params, ALLOW_LOCAL_IN_FILE_NAME) ||
             containsKeyIgnoreCase(params, ALLOW_URL_IN_LOCAL_IN_FILE_NAME)) {

jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java

@@ -750,6 +750,7 @@ void testSplitSqlQueryWithComments() throws IOException,
   @Test
   void testValidateConnectionUrl() throws IOException, InterpreterException {
     Properties properties = new Properties();
+    // it easier to unit test with H2 but this is really a MySQL issue (and maybe MariaDB too)
     properties.setProperty("default.driver", "org.h2.Driver");
     properties.setProperty("default.url", getJdbcConnection() + ";allowLoadLocalInfile=true");
     properties.setProperty("default.user", "");
@@ -762,9 +763,26 @@ void testValidateConnectionUrl() throws IOException, InterpreterException {
             interpreterResult.message().get(0).getData());
   }
 
+  @Test
+  void testValidateConnectionUrlAllowLoadLocal() throws IOException, InterpreterException {
+    Properties properties = new Properties();
+    // it easier to unit test with H2 but this is really a MySQL issue (and maybe MariaDB too)
+    properties.setProperty("default.driver", "org.h2.Driver");
+    properties.setProperty("default.url", getJdbcConnection() + ";allowLoadLocal=true");
+    properties.setProperty("default.user", "");
+    properties.setProperty("default.password", "");
+    JDBCInterpreter jdbcInterpreter = new JDBCInterpreter(properties);
+    jdbcInterpreter.open();
+    InterpreterResult interpreterResult = jdbcInterpreter.interpret("SELECT 1", context);
+    assertEquals(InterpreterResult.Code.ERROR, interpreterResult.code());
+    assertEquals("Connection URL contains improper configuration",
+        interpreterResult.message().get(0).getData());
+  }
+
   @Test
   void testValidateConnectionUrlEncoded() throws IOException, InterpreterException {
     Properties properties = new Properties();
+    // it easier to unit test with H2 but this is really a MySQL issue (and maybe MariaDB too)
     properties.setProperty("default.driver", "org.h2.Driver");
     properties.setProperty("default.url", getJdbcConnection() + ";%61llowLoadLocalInfile=true");
     properties.setProperty("default.user", "");