Harden ASM structure model deserialization against unexpected serialized types

[jmestwa-coder]

Summary

Harden AsmManager.readStructureModel(...) deserialization by replacing unrestricted ObjectInputStream usage with a restricted deserialization boundary that only permits expected ASM structure model and required JDK container/value types.

Changes

• Added StructureModelObjectInputStream to validate serialized classes during deserialization

• Reject unexpected serialized types before readObject() callbacks can execute

• Preserved existing deserialization flow and failure behavior

• Switched stream handling to try-with-resources

• Added compatibility coverage for realistic serialized graph container types:

  • LinkedHashMap
  • Arrays$ArrayList
  • Collections$Unmodifiable*

Tests

Added regression tests covering:

• structure model round-trip restoration

• raw ObjectInputStream callback execution behavior

• rejection of unexpected serialized types before callback execution

• compatibility round-trips for:

  • Arrays.asList(...)
  • Collections.unmodifiableList(...)
  • LinkedHashMap

[kriegaex]

Just in case you are wondering why sometimes I comment or run workflows on your behalf, but am not committing or merging anything:

Please note my July 2024 message to the aspectj-users and aspectj-announce mailing lists regarding my situation as an AspectJ maintainer. Andy Clement has since returned to fixing issues and releasing updates, but he has very little time, so response times can be longer than you might expect. Nobody has yet offered to sponsor my work for this project, so I am still on hiatus until someone finally does.