apiRoutesContainingAny($needles), 0, 20) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'tenant_id' => 99999999, 'school_id' => 99999999, 'owner_id' => $this->admin->id, 'owner_type' => 'App\\Models\\User', 'scope' => 'global', 'include' => '*,password,remember_token,secrets,deleted', 'force' => true, 'hard_delete' => true, 'amount' => 'NaN', 'path' => '../../.env', 'signature' => 'forged', 'redirect' => 'https://evil.example.test', ]; $response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload); $this->assertControlled($response, $method, $uri); $body = strtolower($response->getContent()); foreach (['app_key', 'db_password', 'remember_token', 'stack trace', 'sqlstate', '.env'] as $forbidden) { $this->assertStringNotContainsString($forbidden, $body); } } } } }