Add safelist for object unserialization

config/settings.php

@@ -175,4 +175,22 @@
     |
     */
     'cache_default_value' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Unserialize Safelist
+    |--------------------------------------------------------------------------
+    |
+    | When using the default value serializer class from this package, we
+    | will only unserialize objects that have their classes whitelisted here.
+    | Any other objects will be unserialized to something like:
+    | __PHP_Incomplete_Class(App\Models\User) {...}
+    |
+    | To prevent any objects from being unserialized, simply set this to
+    | an empty array.
+    */
+    'unserialize_safelist' => [
+        \Carbon\Carbon::class,
+        \Carbon\CarbonImmutable::class,
+    ],
 ];

src/Support/ValueSerializers/ValueSerializer.php

@@ -4,6 +4,7 @@
 
 namespace Rawilk\Settings\Support\ValueSerializers;
 
+use Illuminate\Support\Arr;
 use Rawilk\Settings\Contracts\ValueSerializer as ValueSerializerContract;
 
 class ValueSerializer implements ValueSerializerContract
@@ -15,6 +16,8 @@ public function serialize($value): string
 
     public function unserialize(string $serialized): mixed
     {
-        return unserialize($serialized, ['allowed_classes' => false]);
+        $safelistedClasses = Arr::wrap(config('settings.unserialize_safelist', []));
+
+        return unserialize($serialized, ['allowed_classes' => $safelistedClasses]);
     }
 }