fix: prevent PHP Object Injection in Entity ArrayCast

[gr8man]

Description
Fixes a PHP Object Injection vulnerability in CodeIgniter\Entity\Cast\ArrayCast::get().

The unserialize() call was missing the ['allowed_classes' => false] restriction. This could allow an attacker to instantiate arbitrary classes (POP chains) if they pass a serialized object wrapped in an array payload. The fix disables object instantiation during unserialization and adds a unit test to verify the behavior.

Checklist:

• Securely signed commits
• Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
• Unit testing, with >80% coverage
• User guide updated
• Conforms to style guide

[michalsn]

I agree the fix makes sense technically, but I do not think we should change this behavior in v4. We already had a similar PR.

In normal Entity usage, values are saved through ArrayCast::set(), so even a string that looks like serialized malicious data is stored as a string. It is not later unserialized into an object.

To exploit this, an attacker would need to control the raw value stored in the database, for example through SQL injection, an unsafe import, or custom code that stores untrusted serialized data.

Last but not least - this is a BC break. Apps that store arrays with objects in array-cast fields would start getting __PHP_Incomplete_Class instead of the original objects. This is why we decided not to change this when we introduced Model Casting, which already has this hardening.