diff --git a/CHANGES.md b/CHANGES.md index 46e42797911ff8a654e0f4bd254a06846b668a5a..1ea48668ae92227c4981ce8927fc766cd299622e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -37,6 +37,7 @@ Release Notes. * Fix CVE in the alarm module, when activating the dynamic configuration feature. * Fix CVE in the endpoint grouping, when activating the dynamic configuration feature. * Fix CVE in the uninstrumented gateways configs, when activating the dynamic configuration feature. +* Fix CVE in the Apdex threshold configs, when activating the dynamic configuration feature. * Make the codes and doc consistent in sharding server and core server. #### UI diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java index 7c9c0cc05ab46523e2a8c1f90f25937055293075..0ac90f48ca51ca6423b4915d6f0ae68a23191e65 100644 --- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java +++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java @@ -30,6 +30,7 @@ import org.apache.skywalking.oap.server.core.CoreModule; import org.apache.skywalking.oap.server.core.CoreModuleProvider; import org.apache.skywalking.oap.server.library.util.ResourceUtils; import org.yaml.snakeyaml.Yaml; +import org.yaml.snakeyaml.constructor.SafeConstructor; /** * Apdex threshold configuration dictionary adapter. Looking up a service apdex threshold from dynamic config service. @@ -94,7 +95,7 @@ public class ApdexThresholdConfig extends ConfigChangeWatcher implements Configu @SuppressWarnings("unchecked") private void updateConfig(final Reader contentRender) { - dictionary = (Map) new Yaml().load(contentRender); + dictionary = (Map) new Yaml(new SafeConstructor()).load(contentRender); if (dictionary == null) { dictionary = Collections.emptyMap(); }