add test batches
This commit is contained in:
@@ -0,0 +1,55 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature\Api\V1\FullSurface;
|
||||
|
||||
use Illuminate\Http\UploadedFile;
|
||||
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
||||
|
||||
class ApiAttachmentUploadContentSafetyContractTest extends FullSurfaceE2EContractCase
|
||||
{
|
||||
public function test_upload_endpoints_reject_executable_or_misleading_files_cleanly(): void
|
||||
{
|
||||
$routes = $this->apiRoutesContainingAny(['upload', 'import', 'attachment', 'document', 'avatar', 'photo', 'file']);
|
||||
|
||||
$this->assertNotEmpty($routes, 'Upload-like routes should be covered by content safety tests.');
|
||||
|
||||
foreach ($routes as $route) {
|
||||
$method = $this->primaryMethod($route);
|
||||
|
||||
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
foreach (['file', 'attachment', 'document', 'import_file', 'avatar'] as $field) {
|
||||
$payload = $this->payloadFor($method, $route->uri()) + [
|
||||
$field => UploadedFile::fake()->create('malware.php', 4, 'application/x-php'),
|
||||
];
|
||||
|
||||
$response = $this->actingAs($this->actorFor($route->uri()), 'api')
|
||||
->json($method, $this->materializePath($route->uri()), $payload);
|
||||
|
||||
$this->assertStatusIn($response, [400, 403, 404, 409, 413, 415, 422], "{$method} {$route->uri()} should reject executable {$field}.");
|
||||
$this->assertStringNotContainsString('<?php', $response->getContent());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function test_download_and_file_response_routes_do_not_allow_path_traversal_parameters(): void
|
||||
{
|
||||
foreach ($this->apiRoutesContainingAny(['download', 'export', 'file', 'document', 'receipt', 'certificate']) as $route) {
|
||||
$method = $this->primaryMethod($route);
|
||||
|
||||
if ($method !== 'GET') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$path = $this->materializePath($route->uri()) . '?filename=../../.env&path=../../storage/logs/laravel.log';
|
||||
$response = $this->actingAs($this->actorFor($route->uri()), 'api')->getJson($path);
|
||||
|
||||
$this->assertStatusIn($response, [200, 204, 400, 401, 403, 404, 409, 422], "GET {$route->uri()} path traversal probe");
|
||||
$body = $response->getContent();
|
||||
$this->assertStringNotContainsString('APP_KEY=', $body);
|
||||
$this->assertStringNotContainsString('DB_PASSWORD=', $body);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user