apiRoutesContainingAny([ 'auth', 'users', 'students', 'parents', 'family', 'attendance', 'scores', 'report', 'finance', 'inventory', 'message', 'notification', 'import', 'export', 'settings', 'webhook', 'scanner', 'audit', 'job', 'backup', ]); $payload = [ 'id' => '../../.env', 'ids' => [$this->ids['studentId'], 999999, '../../.env'], 'student_id' => 999999, 'parent_id' => 999999, 'teacher_id' => $this->admin->id, 'amount' => 'Infinity', 'date' => '0000-00-00', 'status' => 'administrator_approved', 'role' => 'administrator', 'permissions' => ['*'], 'force' => true, 'skip_validation' => true, 'bypass_authorization' => true, 'include' => 'all,secrets,deleted,audit,passwords', 'message' => '', ]; foreach (array_slice($routes, 0, 140) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $response = $this->withHeaders([ 'X-Internal-Request' => 'true', 'X-User-Role' => 'administrator', 'X-HTTP-Method-Override' => 'DELETE', 'Idempotency-Key' => 'batch17-omega', 'X-Request-Id' => "batch17\r\nInjected: true", ])->requestAs($this->actorFor($uri), $method, $uri, $this->payloadFor($method, $uri) + $payload); $this->assertControlled($response, $method, $uri); $body = strtolower($response->getContent()); foreach (['sqlstate', 'stack trace', 'vendor/laravel', 'app_key', 'db_password', 'remember_token'] as $forbidden) { $this->assertStringNotContainsString($forbidden, $body, $method.' '.$uri.' leaked '.$forbidden.' in batch17 omega sweep.'); } } } }