[SCB-2145]fix local yaml unsafe parse problem (#2102)

foundations/foundation-config/src/main/java/org/apache/servicecomb/config/YAMLUtil.java

@@ -25,6 +25,7 @@
 import java.util.Map;
 
 import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 /**
  * Created by   on 2017/1/5.
@@ -45,7 +46,7 @@ private YAMLUtil() {
   @SuppressWarnings("unchecked")
   public static Map<String, Object> yaml2Properties(InputStream input) {
     Map<String, Object> configurations = new LinkedHashMap<>();
-    Yaml yaml = new Yaml();
+    Yaml yaml = new Yaml(new SafeConstructor());
     yaml.loadAll(input).forEach(data -> configurations.putAll(retrieveItems("", (Map<String, Object>) data)));
     return configurations;
   }

foundations/foundation-config/src/main/java/org/apache/servicecomb/config/archaius/sources/YAMLConfigLoader.java

@@ -22,16 +22,13 @@
 import java.net.URL;
 import java.util.Map;
 
-import org.yaml.snakeyaml.Yaml;
+import org.apache.servicecomb.config.YAMLUtil;
 
 public class YAMLConfigLoader extends AbstractConfigLoader {
-  @SuppressWarnings("unchecked")
   @Override
   protected Map<String, Object> loadData(URL url) throws IOException {
-    Yaml yaml = new Yaml();
-
     try (InputStream inputStream = url.openStream()) {
-      return yaml.loadAs(inputStream, Map.class);
+      return YAMLUtil.yaml2Properties(inputStream);
     }
   }
 }

java-chassis-dependencies/default/pom.xml

@@ -97,7 +97,7 @@
     <seanyinx.version>1.0.0</seanyinx.version>
     <servo.version>0.12.25</servo.version>
     <slf4j.version>1.7.26</slf4j.version>
-    <snakeyaml.version>1.24</snakeyaml.version>
+    <snakeyaml.version>1.27</snakeyaml.version>
     <spectator.version>0.83.0</spectator.version>
     <spring.version>4.3.20.RELEASE</spring.version>
     <spring-boot.version>1.5.19.RELEASE</spring-boot.version>

service-registry/src/main/java/org/apache/servicecomb/serviceregistry/client/LocalServiceRegistryClientImpl.java

@@ -19,6 +19,7 @@
 
 import static org.apache.servicecomb.serviceregistry.definition.DefinitionConst.DEFAULT_APPLICATION_ID;
 
+import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.List;
@@ -30,6 +31,7 @@
 
 import javax.ws.rs.core.Response.Status;
 
+import org.apache.servicecomb.config.YAMLUtil;
 import org.apache.servicecomb.foundation.vertx.AsyncResultCallback;
 import org.apache.servicecomb.serviceregistry.api.registry.Microservice;
 import org.apache.servicecomb.serviceregistry.api.registry.MicroserviceInstance;
@@ -49,7 +51,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.util.StringUtils;
-import org.yaml.snakeyaml.Yaml;
 
 import com.google.common.base.Charsets;
 import com.google.common.hash.Hashing;
@@ -81,7 +82,15 @@ public LocalServiceRegistryClientImpl() {
       return;
     }
 
-    initFromData(is);
+    try {
+      initFromData(is);
+    } finally {
+      try {
+        is.close();
+      } catch (IOException e) {
+        LOGGER.error("", e);
+      }
+    }
   }
 
   public LocalServiceRegistryClientImpl(InputStream is) {
@@ -93,9 +102,7 @@ public LocalServiceRegistryClientImpl(Map<String, Object> data) {
   }
 
   private void initFromData(InputStream is) {
-    Yaml yaml = new Yaml();
-    @SuppressWarnings("unchecked")
-    Map<String, Object> data = yaml.loadAs(is, Map.class);
+    Map<String, Object> data = YAMLUtil.yaml2Properties(is);
     initFromData(data);
   }