Added two more known vulnerable classes suggested by Mo.

harawata · harawata · commit 61488d4a50dc · 2018-07-10T23:06:19.000+09:00
diff --git a/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java b/src/main/java/org/apache/ibatis/executor/loader/AbstractSerialStateHolder.java
@@ -133,12 +133,15 @@ protected abstract Object createDeserializationProxy(Object target, Map<String,
 
   private static class LookAheadObjectInputStream extends ObjectInputStream {
     private static final List<String> blacklist = Arrays.asList(
+        "org.apache.commons.beanutils.BeanComparator",
         "org.apache.commons.collections.functors.InvokerTransformer",
         "org.apache.commons.collections.functors.InstantiateTransformer",
         "org.apache.commons.collections4.functors.InvokerTransformer",
         "org.apache.commons.collections4.functors.InstantiateTransformer",
-        "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure",
+        "org.codehaus.groovy.runtime.ConvertedClosure",
+        "org.codehaus.groovy.runtime.MethodClosure",
         "org.springframework.beans.factory.ObjectFactory",
+        "org.springframework.transaction.jta.JtaTransactionManager",
         "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
 
     public LookAheadObjectInputStream(InputStream in) throws IOException {
