Fix #13799: Add unit test for YamlCodec to verify security

dubbo-remoting/dubbo-remoting-http12/src/test/java/org/apache/dubbo/remoting/http12/message/codec/YamlCodecTest.java

@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.remoting.http12.message.codec;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class YamlCodecTest {
+
+    @Test
+    void testYamlSecurityVulnerability() {
+        String maliciousYaml =
+                "!!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL [\"http://127.0.0.1/\"] ]] ]";
+
+        InputStream is = new ByteArrayInputStream(maliciousYaml.getBytes(StandardCharsets.UTF_8));
+
+        assertThrows(
+                Exception.class,
+                () -> YamlCodec.INSTANCE.decode(is, Object.class, StandardCharsets.UTF_8),
+                "Security Hole: YamlCodec should have rejected the malicious class 'javax.script.ScriptEngineManager'");
+    }
+}