Fix CVE in the endpoint grouping, when activating the dynamic configuration feature. (#5801)

CHANGES.md

@@ -31,6 +31,7 @@ Release Notes.
 * Fix storage-jdbc isExists not set dbname.
 * Fix `searchService` bug in the InfluxDB storage implementation.
 * Fix CVE in the alarm module, when activating the dynamic configuration feature.
+* Fix CVE in the endpoint grouping, when activating the dynamic configuration feature.
 * Make the codes and doc consistent in sharding server and core server.
 
 #### UI

oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/config/group/EndpointGroupingRuleReader.java

@@ -25,6 +25,7 @@ import java.util.Map;
 import java.util.Objects;
 import org.apache.skywalking.apm.util.StringUtil;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 /**
  * Read the input stream including the default endpoint grouping rules. And trans
@@ -33,13 +34,13 @@ public class EndpointGroupingRuleReader {
     private Map yamlData;
 
     public EndpointGroupingRuleReader(InputStream inputStream) {
-        Yaml yaml = new Yaml();
-        yamlData = yaml.loadAs(inputStream, Map.class);
+        Yaml yaml = new Yaml(new SafeConstructor());
+        yamlData = (Map) yaml.load(inputStream);
     }
 
     public EndpointGroupingRuleReader(Reader io) {
-        Yaml yaml = new Yaml();
-        yamlData = yaml.loadAs(io, Map.class);
+        Yaml yaml = new Yaml(new SafeConstructor());
+        yamlData = (Map) yaml.load(io);
     }
 
     /**