From 5b84c5ad1873c568c36dc74f34245ed0dd701352 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=90=B4=E6=99=9F=20Wu=20Sheng?= <wu.sheng@foxmail.com>
Date: Mon, 9 Nov 2020 15:55:56 +0800
Subject: [PATCH] Fix CVE in the Apdex threshold configs, when activating the
 dynamic configuration feature. (#5811)

---
 CHANGES.md                                                     | 1 +
 .../oap/server/core/analysis/ApdexThresholdConfig.java         | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 46e4279791..1ea48668ae 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -37,6 +37,7 @@ Release Notes.
 * Fix CVE in the alarm module, when activating the dynamic configuration feature.
 * Fix CVE in the endpoint grouping, when activating the dynamic configuration feature.
 * Fix CVE in the uninstrumented gateways configs, when activating the dynamic configuration feature.
+* Fix CVE in the Apdex threshold configs, when activating the dynamic configuration feature.
 * Make the codes and doc consistent in sharding server and core server.
 
 #### UI
diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java
index 7c9c0cc05a..0ac90f48ca 100644
--- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java
+++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java
@@ -30,6 +30,7 @@ import org.apache.skywalking.oap.server.core.CoreModule;
 import org.apache.skywalking.oap.server.core.CoreModuleProvider;
 import org.apache.skywalking.oap.server.library.util.ResourceUtils;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 /**
  * Apdex threshold configuration dictionary adapter. Looking up a service apdex threshold from dynamic config service.
@@ -94,7 +95,7 @@ public class ApdexThresholdConfig extends ConfigChangeWatcher implements Configu
 
     @SuppressWarnings("unchecked")
     private void updateConfig(final Reader contentRender) {
-        dictionary = (Map<String, Integer>) new Yaml().load(contentRender);
+        dictionary = (Map<String, Integer>) new Yaml(new SafeConstructor()).load(contentRender);
         if (dictionary == null) {
             dictionary = Collections.emptyMap();
         }
-- 
GitLab