Raise a more descriptive error if null bytes are found in the path (#1811)

* raise a more descriptive error if null bytes are found in the path

* formatting

Author: xavdid-stripe

lib/ApiRequestor.php

@@ -516,6 +516,12 @@ private function _requestRaw($method, $url, $params, $headers, $apiMode, $usage)
     {
         list($absUrl, $rawHeaders, $params, $hasFile, $myApiKey) = $this->_prepareRequest($method, $url, $params, $headers, $apiMode);
 
+        // for some reason, PHP users will sometimes include null bytes in their paths, which leads to cryptic server 400s.
+        // we'll be louder about this to help catch issues earlier.
+        if (false !== \strpos($absUrl, "\0") || false !== \strpos($absUrl, '%00')) {
+            throw new Exception\BadMethodCallException("URLs may not contain null bytes ('\\0'); double check any IDs you're including with the request.");
+        }
+
         $requestStartMs = Util\Util::currentTimeMillis();
 
         list($rbody, $rcode, $rheaders) = self::httpClient()->request(

tests/Stripe/ApiRequestorTest.php

@@ -726,4 +726,23 @@ public function testIsDisabled()
         $result = $method->invoke(null, 'procopen, php_uname, exec', 'php_uname');
         static::assertTrue($result);
     }
+
+    public function testRaisesForNullBytesInResourceMethod()
+    {
+        $this->expectException(\Stripe\Exception\BadMethodCallException::class);
+        $this->compatExpectExceptionMessageMatches('#null byte#');
+
+        Charge::retrieve("abc_123\0");
+    }
+
+    public function testRaisesForNullBytesInRawRequest()
+    {
+        $this->expectException(\Stripe\Exception\BadMethodCallException::class);
+        $this->compatExpectExceptionMessageMatches('#null byte#');
+
+        $client = new BaseStripeClient([
+            'api_key' => 'sk_test_client',
+        ]);
+        $client->rawRequest('get', "/v1/xyz\0");
+    }
 }