c4ab0d13de
Add three defenses to the Streamable deserialization system to prevent exploitation by hacked clients: - Class whitelist: ObjectInputStream.setAllowedClassPrefixes() validates class names before Class.forName(), blocking arbitrary class loading from crafted wire data. Callers configure at startup; unconfigured streams retain existing behavior for backward compatibility. - Container size caps: BasicStreamers.validateSize() rejects arrays, collections, and maps with negative or >65536 element counts. Prevents OOM from a small frame declaring a massive allocation. Applied to all 12 array/collection read paths and Streamer.ArrayStreamer. - Recursion depth limit: ObjectInputStream.readObject() tracks nesting depth and throws at 32 levels, preventing stack overflow from maliciously nested structures (e.g., list-of-list-of-list).