add test batches
This commit is contained in:
@@ -0,0 +1,51 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature\Api\V1\FullSurface;
|
||||
|
||||
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
||||
|
||||
class ApiBatch12CombinedRegressionSweepTest extends FullSurfaceE2EContractCase
|
||||
{
|
||||
public function test_batch_12_combined_security_business_rule_and_contract_probe(): void
|
||||
{
|
||||
$routes = array_slice($this->apiRoutesContainingAny([
|
||||
'auth', 'users', 'roles', 'permissions', 'students', 'parents', 'family',
|
||||
'attendance', 'scores', 'report-card', 'finance', 'invoice', 'payment',
|
||||
'inventory', 'import', 'export', 'webhook', 'settings', 'messages',
|
||||
]), 0, 220);
|
||||
|
||||
foreach ($routes as $route) {
|
||||
$method = $this->primaryMethod($route);
|
||||
$uri = $route->uri();
|
||||
$payload = $this->payloadFor($method, $uri) + [
|
||||
'scope' => 'all',
|
||||
'force' => true,
|
||||
'is_admin' => true,
|
||||
'role' => 'administrator',
|
||||
'student_id' => $this->ids['invoiceId'],
|
||||
'invoice_id' => $this->ids['studentId'],
|
||||
'amount' => '1e309',
|
||||
'status' => '<script>alert(1)</script>',
|
||||
'return_url' => 'https://evil.example/after-login',
|
||||
'callback_url' => 'http://169.254.169.254/latest/meta-data/',
|
||||
'fields' => ['*', 'password', 'remember_token'],
|
||||
];
|
||||
|
||||
$this->actingAs($this->actorFor($uri), 'api');
|
||||
$response = $this->withHeaders([
|
||||
'Accept' => 'application/json',
|
||||
'X-Admin' => '1',
|
||||
'X-Original-Method' => 'DELETE',
|
||||
'Idempotency-Key' => 'batch-12-combined-regression',
|
||||
])->json($method, $this->materializePath($uri), $payload);
|
||||
|
||||
$this->assertControlled($response, $method, $uri);
|
||||
$this->assertNoServerError($response, 'batch 12 combined regression '.$method.' '.$uri);
|
||||
|
||||
$body = $response->getContent();
|
||||
$this->assertStringNotContainsString('SQLSTATE', $body, 'batch 12 response leaked SQL at '.$uri);
|
||||
$this->assertStringNotContainsString('APP_KEY', $body, 'batch 12 response leaked env at '.$uri);
|
||||
$this->assertStringNotContainsString('remember_token', strtolower($body), 'batch 12 response leaked auth internals at '.$uri);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user