Throw TransformationFailedException when there is a null bytes injection

Author: sormes

src/Symfony/Component/Form/Extension/Core/DataTransformer/DateTimeToStringTransformer.php

@@ -118,6 +118,10 @@ public function reverseTransform($value)
             throw new TransformationFailedException('Expected a string.');
         }
 
+        if (str_contains($value, "\0")) {
+            throw new TransformationFailedException('Null bytes not allowed');
+        }
+
         $outputTz = new \DateTimeZone($this->outputTimezone);
         $dateTime = \DateTime::createFromFormat($this->parseFormat, $value, $outputTz);
 

src/Symfony/Component/Form/Tests/Extension/Core/DataTransformer/DateTimeToStringTransformerTest.php

@@ -133,6 +133,19 @@ public function testReverseTransformEmpty()
         $this->assertNull($reverseTransformer->reverseTransform(''));
     }
 
+    public function testReverseTransformWithNullBytes()
+    {
+        $transformer = new DateTimeToStringTransformer();
+
+        $nullByte = \chr(0);
+        $value = '2024-03-15 21:11:00'.$nullByte;
+
+        $this->expectException(TransformationFailedException::class);
+        $this->expectExceptionMessage('Null bytes not allowed');
+
+        $transformer->reverseTransform($value);
+    }
+
     public function testReverseTransformWithDifferentTimezones()
     {
         $reverseTransformer = new DateTimeToStringTransformer('America/New_York', 'Asia/Hong_Kong', 'Y-m-d H:i:s');