apiRoutesContainingAny(['message', 'contact', 'support', 'communication', 'broadcast', 'email', 'whatsapp']);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$payload = $this->payloadFor($method, $route->uri()) + [
'subject' => "Batch 13\r\nBcc: victim@example.test",
'message' => '
'.str_repeat('spam ', 2000),
'body' => '',
'from' => 'attacker@example.test\r\nCc: injected@example.test',
'recipients' => array_fill(0, 500, 'victim@example.test'),
'channel' => 'all',
];
$response = $this->requestAs($this->parent, $method, $route->uri(), $payload);
$this->assertControlled($response, $method, $route->uri());
$this->assertStringNotContainsString('Bcc: victim@example.test', $response->getContent());
$this->assertStringNotContainsString('', $response->getContent());
}
}
public function test_broadcast_routes_remain_admin_only_under_channel_spoofing(): void
{
$routes = $this->apiRoutesContainingAny(['broadcast', 'email', 'notification', 'whatsapp']);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) {
continue;
}
$response = $this->requestAs($this->teacher, $method, $route->uri(), [
'recipients' => ['all'],
'audience' => 'all_school',
'channel' => 'admin',
'force' => true,
]);
$this->assertControlled($response, $method, $route->uri());
$this->assertNotContains($response->getStatusCode(), [200, 201]);
}
}
}