add test batches

This commit is contained in:
root
2026-06-08 23:45:55 -04:00
parent c792b8be05
commit 8d4d610b82
1480 changed files with 22587 additions and 10762 deletions
@@ -0,0 +1,55 @@
<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Illuminate\Http\UploadedFile;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiAttachmentUploadContentSafetyContractTest extends FullSurfaceE2EContractCase
{
public function test_upload_endpoints_reject_executable_or_misleading_files_cleanly(): void
{
$routes = $this->apiRoutesContainingAny(['upload', 'import', 'attachment', 'document', 'avatar', 'photo', 'file']);
$this->assertNotEmpty($routes, 'Upload-like routes should be covered by content safety tests.');
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
foreach (['file', 'attachment', 'document', 'import_file', 'avatar'] as $field) {
$payload = $this->payloadFor($method, $route->uri()) + [
$field => UploadedFile::fake()->create('malware.php', 4, 'application/x-php'),
];
$response = $this->actingAs($this->actorFor($route->uri()), 'api')
->json($method, $this->materializePath($route->uri()), $payload);
$this->assertStatusIn($response, [400, 403, 404, 409, 413, 415, 422], "{$method} {$route->uri()} should reject executable {$field}.");
$this->assertStringNotContainsString('<?php', $response->getContent());
}
}
}
public function test_download_and_file_response_routes_do_not_allow_path_traversal_parameters(): void
{
foreach ($this->apiRoutesContainingAny(['download', 'export', 'file', 'document', 'receipt', 'certificate']) as $route) {
$method = $this->primaryMethod($route);
if ($method !== 'GET') {
continue;
}
$path = $this->materializePath($route->uri()) . '?filename=../../.env&path=../../storage/logs/laravel.log';
$response = $this->actingAs($this->actorFor($route->uri()), 'api')->getJson($path);
$this->assertStatusIn($response, [200, 204, 400, 401, 403, 404, 409, 422], "GET {$route->uri()} path traversal probe");
$body = $response->getContent();
$this->assertStringNotContainsString('APP_KEY=', $body);
$this->assertStringNotContainsString('DB_PASSWORD=', $body);
}
}
}