ValidationQuery should be excluded from openjpa.ConnectionProperties and should be a separate property.
It is plausible that an application would not allow the the ValidationQuery to be configured, rather it would be hardcoded in the application.
On the other hand, the application may allow other db driver specific properties to be configured, and these values would then be concatenated into a ConnectionProperties string and passed by the application to the openjpa.ConnectionProperties, and then subsequently parsed into propertty map and passed to the driver by openjpa.
If the application does not sanitize all the configuration values that gets their way into the openjpa.ConnectionProperties string, then it is possible a for an attacker to a use driver specific setting to execute arbitrary SQL.
For example, let's suppose an application has this config option for the db connection: trustServerCertificate=true/false. Lets suppose this config property is concatenated into the openjpa.ConnectionProperties string by the application. The following value could result in executing a delete statement each time a connection validation query runs:
trustServerCertificate=true,TestOnBorrow=true,ValidationQuery=delete from transactions where id = 'abcd'
We have recently found and fixed such security hole in our application and I think it would be nice to have this fix in openjpa so it would prevent naive application developers to add such security holes into his/her application.
I am not familiar with openjpa codebase, but I included a rudimentary fix, so that it would be clear what I'm thinking about.