apiRoutesContainingAny($needles), 0, 18) as $route) { $method = $this->primaryMethod($route); $payload = $this->payloadFor($method, $route->uri()) + [ 'id' => '../../.env', 'student_id' => ['not', 'an', 'id'], 'parent_id' => 99999999, 'amount' => '-999999999.999', 'status' => '', 'path' => '../../storage/logs/laravel.log', 'signature' => 'forged', 'approved_by' => $this->admin->id, 'owner_type' => 'App\\Models\\User', 'owner_id' => $this->admin->id, 'include' => '*,password,remember_token,audit_logs', 'scope' => 'global', 'force' => true, 'hard_delete' => true, ]; $response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $payload); $this->assertControlled($response, $method, $route->uri()); $body = strtolower($response->getContent()); foreach (['sqlstate', 'app_key', 'db_password', 'remember_token', 'stack trace', 'laravel.log'] as $forbidden) { $this->assertStringNotContainsString($forbidden, $body); } } } } }