(incubator-seata) branch 2.x updated: bugfix: Unsafe deserialization in processorYaml.java #6839 (#6840)

Tue, 10 Sep 2024 19:23:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

xingfudeshi pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/incubator-seata.git


The following commit(s) were added to refs/heads/2.x by this push:
     new c0d2ac540b bugfix:  Unsafe deserialization in processorYaml.java #6839 
(#6840)
c0d2ac540b is described below

commit c0d2ac540b5579e909ae3240f112575313fcad34
Author: LegGasai <75920107+legga...@users.noreply.github.com>
AuthorDate: Wed Sep 11 10:22:43 2024 +0800

    bugfix:  Unsafe deserialization in processorYaml.java #6839 (#6840)
---
 changes/en-us/2.x.md                                                  | 2 +-
 changes/zh-cn/2.x.md                                                  | 2 +-
 .../main/java/org/apache/seata/config/processor/ProcessorYaml.java    | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md
index f0ee86741f..63d681c47f 100644
--- a/changes/en-us/2.x.md
+++ b/changes/en-us/2.x.md
@@ -41,6 +41,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6825](https://github.com/apache/incubator-seata/pull/6825)] Fix the issue 
of XA mode transaction timeout and inability to roll back in Postgres
 - [[#6833](https://github.com/apache/incubator-seata/pull/6833)] 
SQLIntegrityConstraintViolationException capture incorrectly when inserting a 
globallock
 - [[#6835](https://github.com/apache/incubator-seata/pull/6835)] Fix the issue 
of missing request body of post method in HttpClientUtil
+- [[#6840](https://github.com/apache/incubator-seata/pull/6840)] Fix the issue 
of unsafe deserialization in ProcessorYaml.java
 
 
 
@@ -140,7 +141,6 @@ Thanks to these contributors for their code commits. Please 
report an unintended
 - [lightClouds917](https://github.com/lightClouds917)
 - [l81893521](https://github.com/l81893521)
 - [laywin](https://github.com/laywin)
-- [xingfudeshi](https://github.com/xingfudeshi)
 - [xiaoxiangyeyu0](https://github.com/xiaoxiangyeyu0)
 - [LegGasai](https://github.com/LegGasai)
 - [yangli-stu](https://github.com/yangli-stu)
diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md
index 7489323f82..9868fa5fec 100644
--- a/changes/zh-cn/2.x.md
+++ b/changes/zh-cn/2.x.md
@@ -42,6 +42,7 @@
 - [[#6825](https://github.com/apache/incubator-seata/pull/6825)] 
修复Postgres的XA模式事务超时无法回滚问题
 - [[#6833](https://github.com/apache/incubator-seata/pull/6833)] 插入全局锁时 
SQLIntegrityConstraintViolationException 捕获不正确
 - [[#6835](https://github.com/apache/incubator-seata/pull/6835)] 
修复HttpClientUtil中post方法请求体缺失的问题
+- [[#6840](https://github.com/apache/incubator-seata/pull/6840)] 
修复ProcessorYaml中不安全的反序列化
 
 
 ### optimize:
@@ -141,7 +142,6 @@
 - [lightClouds917](https://github.com/lightClouds917)
 - [l81893521](https://github.com/l81893521)
 - [laywin](https://github.com/laywin)
-- [xingfudeshi](https://github.com/xingfudeshi)
 - [xiaoxiangyeyu0](https://github.com/xiaoxiangyeyu0)
 - [LegGasai](https://github.com/LegGasai)
 - [yangli-stu](https://github.com/yangli-stu)
diff --git 
a/config/seata-config-core/src/main/java/org/apache/seata/config/processor/ProcessorYaml.java
 
b/config/seata-config-core/src/main/java/org/apache/seata/config/processor/ProcessorYaml.java
index 5bc4bfda18..875a3bb287 100644
--- 
a/config/seata-config-core/src/main/java/org/apache/seata/config/processor/ProcessorYaml.java
+++ 
b/config/seata-config-core/src/main/java/org/apache/seata/config/processor/ProcessorYaml.java
@@ -19,7 +19,9 @@ package org.apache.seata.config.processor;
 
 import org.apache.seata.common.loader.LoadLevel;
 import org.apache.seata.common.util.MapUtil;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 import java.util.Map;
 import java.util.Properties;
@@ -34,7 +36,7 @@ public class ProcessorYaml implements Processor {
     @Override
     public Properties processor(String config) {
         Properties properties = new Properties();
-        Map<String, Object> configMap = MapUtil.asMap(new Yaml().load(config));
+        Map<String, Object> configMap = MapUtil.asMap(new Yaml(new 
SafeConstructor(new LoaderOptions())).load(config));
         properties.putAll(MapUtil.getFlattenedMap(configMap));
         return properties;
     }


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For additional commands, e-mail: notifications-h...@seata.apache.org

Reply via email to