bugfix: Unsafe deserialization in processorYaml.java #6839 (#6840)

LegGasai · web-flow · commit c0d2ac540b55 · 2024-09-11T10:22:43.000+08:00
diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md
@@ -41,6 +41,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6825](https://github.com/apache/incubator-seata/pull/6825)] Fix the issue of XA mode transaction timeout and inability to roll back in Postgres
 - [[#6833](https://github.com/apache/incubator-seata/pull/6833)] SQLIntegrityConstraintViolationException capture incorrectly when inserting a globallock
 - [[#6835](https://github.com/apache/incubator-seata/pull/6835)] Fix the issue of missing request body of post method in HttpClientUtil
+- [[#6840](https://github.com/apache/incubator-seata/pull/6840)] Fix the issue of unsafe deserialization in ProcessorYaml.java
 
 
 
@@ -140,7 +141,6 @@ Thanks to these contributors for their code commits. Please report an unintended
 - [lightClouds917](https://github.com/lightClouds917)
 - [l81893521](https://github.com/l81893521)
 - [laywin](https://github.com/laywin)
-- [xingfudeshi](https://github.com/xingfudeshi)
 - [xiaoxiangyeyu0](https://github.com/xiaoxiangyeyu0)
 - [LegGasai](https://github.com/LegGasai)
 - [yangli-stu](https://github.com/yangli-stu)
diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md
@@ -42,6 +42,7 @@
 - [[#6825](https://github.com/apache/incubator-seata/pull/6825)] 修复Postgres的XA模式事务超时无法回滚问题
 - [[#6833](https://github.com/apache/incubator-seata/pull/6833)] 插入全局锁时 SQLIntegrityConstraintViolationException 捕获不正确
 - [[#6835](https://github.com/apache/incubator-seata/pull/6835)] 修复HttpClientUtil中post方法请求体缺失的问题
+- [[#6840](https://github.com/apache/incubator-seata/pull/6840)] 修复ProcessorYaml中不安全的反序列化
 
 
 ### optimize:
@@ -141,7 +142,6 @@
 - [lightClouds917](https://github.com/lightClouds917)
 - [l81893521](https://github.com/l81893521)
 - [laywin](https://github.com/laywin)
-- [xingfudeshi](https://github.com/xingfudeshi)
 - [xiaoxiangyeyu0](https://github.com/xiaoxiangyeyu0)
 - [LegGasai](https://github.com/LegGasai)
 - [yangli-stu](https://github.com/yangli-stu)
diff --git a/config/seata-config-core/src/main/java/org/apache/seata/config/processor/ProcessorYaml.java b/config/seata-config-core/src/main/java/org/apache/seata/config/processor/ProcessorYaml.java
@@ -19,7 +19,9 @@
 
 import org.apache.seata.common.loader.LoadLevel;
 import org.apache.seata.common.util.MapUtil;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.util.Map;
 import java.util.Properties;
@@ -34,7 +36,7 @@ public class ProcessorYaml implements Processor {
     @Override
     public Properties processor(String config) {
         Properties properties = new Properties();
-        Map<String, Object> configMap = MapUtil.asMap(new Yaml().load(config));
+        Map<String, Object> configMap = MapUtil.asMap(new Yaml(new SafeConstructor(new LoaderOptions())).load(config));
         properties.putAll(MapUtil.getFlattenedMap(configMap));
         return properties;
     }
