(PUP-11321) Allow loading of safe classes from the persistence store

The result of a deferred function is stored in the persistence store as the last
known "system_value". When calling the `binary_file` function deferred, we
stored a `Puppet::Pops::Types::PBinaryType::Binary` object, but failed to load
it the next time we ran.

Expand the list of allowed classes to include objects that may be called by
builtin or custom functions.

Author: joshcooper

lib/puppet/transaction/persistence.rb

@@ -6,6 +6,26 @@
 # as calculating corrective_change).
 # @api private
 class Puppet::Transaction::Persistence
+
+  def self.allowed_classes
+    @allowed_classes ||= [
+      Symbol,
+      Time,
+      Regexp,
+      # URI is excluded, because it serializes all instance variables including the
+      # URI parser. Better to serialize the URL encoded representation.
+      SemanticPuppet::Version,
+      # SemanticPuppet::VersionRange has many nested classes and is unlikely to be
+      # used directly, so ignore it
+      Puppet::Pops::Time::Timestamp,
+      Puppet::Pops::Time::TimeData,
+      Puppet::Pops::Time::Timespan,
+      Puppet::Pops::Types::PBinaryType::Binary,
+      # Puppet::Pops::Types::PSensitiveType::Sensitive values are excluded from
+      # the persistence store, ignore it.
+    ].freeze
+  end
+
   def initialize
     @old_data = {}
     @new_data = {"resources" => {}}
@@ -62,7 +82,7 @@ def load
     result = nil
     Puppet::Util.benchmark(:debug, _("Loaded transaction store file in %{seconds} seconds")) do
       begin
-        result = Puppet::Util::Yaml.safe_load_file(filename, [Symbol, Time])
+        result = Puppet::Util::Yaml.safe_load_file(filename, self.class.allowed_classes)
       rescue Puppet::Util::Yaml::YamlLoadError => detail
         Puppet.log_exception(detail, _("Transaction store file %{filename} is corrupt (%{detail}); replacing") % { filename: filename, detail: detail })
 

spec/unit/transaction/persistence_spec.rb

@@ -138,6 +138,57 @@ def write_state_file(contents)
         persistence = Puppet::Transaction::Persistence.new
         expect(persistence.load.dig("File[/tmp/audit]", "parameters", "mtime", "system_value")).to contain_exactly(be_a(Time))
       end
+
+      it 'should load Regexp' do
+        write_state_file(<<~END)
+          system_value:
+            - !ruby/regexp /regexp/
+        END
+
+        persistence = Puppet::Transaction::Persistence.new
+        expect(persistence.load.dig("system_value")).to contain_exactly(be_a(Regexp))
+      end
+
+      it 'should load semantic puppet version' do
+        write_state_file(<<~END)
+          system_value:
+            - !ruby/object:SemanticPuppet::Version
+              major: 1
+              minor: 0
+              patch: 0
+              prerelease: 
+              build: 
+        END
+
+        persistence = Puppet::Transaction::Persistence.new
+        expect(persistence.load.dig("system_value")).to contain_exactly(be_a(SemanticPuppet::Version))
+      end
+
+      it 'should load puppet time related objects' do
+        write_state_file(<<~END)
+          system_value:
+            - !ruby/object:Puppet::Pops::Time::Timestamp
+              nsecs: 1638316135955087259
+            - !ruby/object:Puppet::Pops::Time::TimeData
+              nsecs: 1495789430910161286
+            - !ruby/object:Puppet::Pops::Time::Timespan
+              nsecs: 1495789430910161286
+        END
+
+        persistence = Puppet::Transaction::Persistence.new
+        expect(persistence.load.dig("system_value")).to contain_exactly(be_a(Puppet::Pops::Time::Timestamp), be_a(Puppet::Pops::Time::TimeData), be_a(Puppet::Pops::Time::Timespan))
+      end
+
+      it 'should load binary objects' do
+        write_state_file(<<~END)
+          system_value:
+            - !ruby/object:Puppet::Pops::Types::PBinaryType::Binary
+              binary_buffer: ''
+        END
+
+        persistence = Puppet::Transaction::Persistence.new
+        expect(persistence.load.dig("system_value")).to contain_exactly(be_a(Puppet::Pops::Types::PBinaryType::Binary))
+      end
     end
   end