fix(security): avoid serializing User in OnRegistrationCompleteEvent (CVE-2017-2603)

[navnitan-7]

Summary

Hardens OnRegistrationCompleteEvent against Java serialization leaking the full User graph (including password), following the same pattern as Jenkins CVE-2017-2603 / commit 3cd946c: mark the dedicated user field transient, add a serialization round-trip test, and parameterize Surefire so tests can run with -Dskip.unit.tests=false while keeping the previous default (tests skipped).

Reproduction (before)

• source/xzs/src/main/java/com/mindskip/xzs/event/OnRegistrationCompleteEvent.java had private final User user; (non-transient).
• Any code path that serializes the event could persist credentials from com.mindskip.xzs.domain.User.

Fix

• private final transient User user + short Javadoc.
• New OnRegistrationCompleteEventSerializationTest: after ObjectOutputStream / ObjectInputStream, getUser() is null.
• pom.xml: <skip.unit.tests>true</skip.unit.tests> and <skipTests>${skip.unit.tests}</skipTests>.

Verification

cd source/xzs
mvn test -Dskip.unit.tests=false

Observed: BUILD SUCCESS; Surefire runs OnRegistrationCompleteEventSerializationTest.

mvn test

Observed: BUILD SUCCESS; tests still skipped by default.

Scope

• Application code + one test class; no vendored trees changed.

Limitation

ApplicationEvent still receives super(user); this PR addresses the duplicate user field pattern aligned with the upstream fix. Further hardening could avoid passing the full User as the event source if required.

[navnitan-7]

Hi reviewers,

I've addressed the security concern related to CVE-2017-2603 by marking the User field in OnRegistrationCompleteEvent as transient to prevent sensitive data from being serialized.
I also added a dedicated unit test to verify the serialization behavior and updated the Maven configuration to make test execution configurable.

Could you please take a look and share your feedback when you have a moment?

Thanks in advance!

@mindskip