Fix CVE in the Apdex threshold configs, when activating the dynamic configuration feature. (#5811)

CHANGES.md

@@ -37,6 +37,7 @@ Release Notes.
 * Fix CVE in the alarm module, when activating the dynamic configuration feature.
 * Fix CVE in the endpoint grouping, when activating the dynamic configuration feature.
 * Fix CVE in the uninstrumented gateways configs, when activating the dynamic configuration feature.
+* Fix CVE in the Apdex threshold configs, when activating the dynamic configuration feature.
 * Make the codes and doc consistent in sharding server and core server.
 
 #### UI

oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/ApdexThresholdConfig.java

@@ -30,6 +30,7 @@ import org.apache.skywalking.oap.server.core.CoreModule;
 import org.apache.skywalking.oap.server.core.CoreModuleProvider;
 import org.apache.skywalking.oap.server.library.util.ResourceUtils;
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 /**
  * Apdex threshold configuration dictionary adapter. Looking up a service apdex threshold from dynamic config service.
@@ -94,7 +95,7 @@ public class ApdexThresholdConfig extends ConfigChangeWatcher implements Configu
 
     @SuppressWarnings("unchecked")
     private void updateConfig(final Reader contentRender) {
-        dictionary = (Map<String, Integer>) new Yaml().load(contentRender);
+        dictionary = (Map<String, Integer>) new Yaml(new SafeConstructor()).load(contentRender);
         if (dictionary == null) {
             dictionary = Collections.emptyMap();
         }