LegGasai opened a new issue, #6839: URL: https://github.com/apache/incubator-seata/issues/6839
<!-- Please do not use this issue template to report security vulnerabilities but refer to our [security policy](https://github.com/seata/seata/security/policy). --> - [ ] I have searched the [issues](https://github.com/seata/seata/issues) of this repository and believe that this is not a duplicate. ### Ⅰ. Issue Description  There could be potential security issues in processorYaml deserialization as we can see from https://codeql.github.com/codeql-query-help/java/java-unsafe-deserialization/ SnakeYAML - org.yaml:snakeyaml Secure by Default: No Recommendation: Pass an instance of org.yaml.snakeyaml.constructor.SafeConstructor to org.yaml.snakeyaml.Yaml’s constructor before using it to deserialize untrusted data. ### Ⅱ. Describe what happened If there is an exception, please attach the exception trace: ``` Just paste your stack trace here! ``` ### Ⅲ. Describe what you expected to happen ### Ⅳ. How to reproduce it (as minimally and precisely as possible) 1. xxx 2. xxx 3. xxx Minimal yet complete reproducer code (or URL to code): ### Ⅴ. Anything else we need to know? ### Ⅵ. Environment: - JDK version(e.g. `java -version`): - Seata client/server version: - Database version: - OS(e.g. `uname -a`): - Others: -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org For additional commands, e-mail: notifications-h...@seata.apache.org
