fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization

The availableTaskTypes cache stores serialized arrays containing
ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum
values. The unserialize() call did not restrict which classes could
be instantiated.

Restrict deserialization to the three known types:
- OCP\TaskProcessing\ShapeDescriptor
- OCP\TaskProcessing\ShapeEnumValue
- OCP\TaskProcessing\EShapeType

This prevents PHP Object Injection if an attacker gains write access
to the distributed cache backend.

Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>

Author: XananasX7

lib/private/TaskProcessing/Manager.php

@@ -940,12 +940,12 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI
 			$cachedValue = $this->distributedCache->get($cacheKey);
 			if ($cachedValue !== null) {
 				$this->availableTaskTypes = unserialize($cachedValue, [
-				'allowed_classes' => [
-					ShapeDescriptor::class,
-					ShapeEnumValue::class,
-					EShapeType::class,
-				],
-			]);
+					'allowed_classes' => [
+						ShapeDescriptor::class,
+						ShapeEnumValue::class,
+						EShapeType::class,
+					],
+				]);
 			}
 		}
 		// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.