Deserialization security

[chickenlj]

What is the purpose of the change

add deserialization blacklist.

dubbo.security.serialization.check=true/false
dubbo.security.serialization.blacklist=Class1,Class2
dubbo.registry.serialization.blacklist.file=file storing classes in blacklist

Brief changelog

XXXXX

Verifying this change

XXXXX

Follow this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a GITHUB_issue field for the change (usually before you start working on it). Trivial changes like typos do not require a GITHUB issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
• Format the pull request title like [Dubbo-XXX] Fix UnknownException when host config not exist #XXX. Each commit in the pull request should have a meaningful subject line and body.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add sample in dubbo samples project.
• Run mvn clean install -DskipTests=false & mvn clean test-compile failsafe:integration-test to make sure unit-test and integration-test pass.
• If this contribution is large, please follow the Software Donation Guide.

[codecov-io]

Codecov Report

Merging #4891 into master will increase coverage by 0.02%.
The diff coverage is 59.09%.

@@             Coverage Diff              @@
##             master    #4891      +/-   ##
============================================
+ Coverage     64.01%   64.03%   +0.02%     
- Complexity      452      459       +7     
============================================
  Files           769      772       +3     
  Lines         33161    33333     +172     
  Branches       5230     5250      +20     
============================================
+ Hits          21227    21346     +119     
- Misses         9516     9554      +38     
- Partials       2418     2433      +15

Impacted Files	Coverage Δ	Complexity Δ
...rpc/protocol/httpinvoker/HttpRemoteInvocation.java	100% <ø> (ø)	3 <0> (ø)	⬇️
.../rpc/protocol/httpinvoker/HttpInvokerProtocol.java	67.85% <ø> (ø)	11 <0> (ø)	⬇️
...otocol/httpinvoker/HttpInvokerServiceExporter.java	100% <100%> (ø)	2 <2> (?)
...on/serialize/nativejava/NativeJavaObjectInput.java	80.76% <100%> (ø)	0 <0> (ø)	⬇️
...mon/serialize/java/CompactedObjectInputStream.java	52.38% <28.57%> (-11.91%)	0 <0> (ø)
...ol/httpinvoker/CodebaseAwareObjectInputStream.java	44.44% <44.44%> (ø)	3 <3> (?)
...e/dubbo/common/serialize/java/JavaObjectInput.java	50% <50%> (ø)	0 <0> (ø)	⬇️
.../org/apache/dubbo/common/utils/SerialDetector.java	62.68% <62.68%> (ø)	0 <0> (?)
...ache/dubbo/remoting/transport/AbstractChannel.java	37.5% <0%> (-50%)	0% <0%> (ø)
.../apache/dubbo/remoting/transport/AbstractPeer.java	58.69% <0%> (-10.87%)	0% <0%> (ø)
... and 70 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 06f7190...f39a015. Read the comment docs.