Fixed the security risk of deserialization;

source/utils/utils-serialize/src/main/java/com/jd/blockchain/utils/serialize/binary/BinarySerializeUtils.java

@@ -4,7 +4,6 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.OutputStream;
 
@@ -46,9 +45,10 @@ public class BinarySerializeUtils {
 	@SuppressWarnings("unchecked")
 	public static <T> T deserialize(InputStream in) {
 		try {
-			ObjectInputStream objIn = new ObjectInputStream(in);
-			Object obj = objIn.readObject();
-			return (T) obj;
+			try(FilteredObjectInputStream objIn = new FilteredObjectInputStream(in)){
+				Object obj = objIn.readObject();
+				return (T) obj;
+			}
 		} catch (IOException e) {
 			throw new RuntimeIOException(e.getMessage(), e);
 		} catch (ClassNotFoundException e) {

source/utils/utils-serialize/src/main/java/com/jd/blockchain/utils/serialize/binary/FilteredObjectInputStream.java

@@ -0,0 +1,35 @@
+package com.jd.blockchain.utils.serialize.binary;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.HashSet;
+import java.util.Set;
+
+public class FilteredObjectInputStream extends ObjectInputStream {
+	
+	private static final Set<String> classBlacklist = new HashSet<String>();
+
+	/**
+	 * 把指定类型加入禁止反序列化的类型黑名单；
+	 * 
+	 * @param className
+	 */
+	public static void addBlackList(String className) {
+		classBlacklist.add(className);
+	}
+
+	public FilteredObjectInputStream(InputStream in) throws IOException {
+		super(in);
+	}
+
+	@Override
+	protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+		if (classBlacklist.contains(desc.getName())) {
+			throw new SecurityException("Class["+desc.getName()+"] is forbidden to deserialize because it is in the blacklist!");
+		}
+		return super.resolveClass(desc);
+	}
+
+}