#AI COMMIT# Fix JDBC URL encoding bypass and unsafe deserialization v…

[aiceflower]

…ulnerabilities

1. SecurityUtils.checkParams: Replace single URL decode with while-loop decode (consistent with checkJdbcConnParams) to prevent double-encoding bypass that allows attackers to smuggle sensitive params like allowLoadLocalInfile past the blacklist.

2. SqlConnection (4 files): Replace DriverManager.getConnection(url,user,pwd) with getConnection(baseUrl, Properties). Security params are set first via SecurityUtils.getMysqlSecurityParams() and cannot be overridden by user-supplied extra params, providing defense-in-depth against URL parameter injection.

3. CryptoUtils.string2Object: Add resolveClass whitelist allowing only java.lang.String, blocking all gadget chain deserialization attacks (CWE-502) while maintaining backward compatibility since passwords are stored as String objects.

What is the purpose of the change

EngineConn-Core defines the the abstractions and interfaces of the EngineConn core functions.
The Engine Service in Linkis 0.x is refactored, EngineConn will handle the engine connection
and session management.

Related issues/PRs

Related issues: close #590 close #591
Related pr:#591

Brief change log

• Define the core abstraction and interfaces of the EngineConn Factory;
• Define the core abstraction and interfaces of Executor Manager.

Checklist

• I have read the Contributing Guidelines on pull requests.
• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the Linkis mailing list first)
• If this is a code change: I have written unit tests to fully verify the new behavior.

[casionone]

LGTM.