apiRoutesContainingAny([ 'auth', 'users', 'students', 'parents', 'family', 'guardian', 'attendance', 'scores', 'report', 'finance', 'invoice', 'payment', 'refund', 'inventory', 'import', 'export', 'scanner', 'settings', 'notification', ]); $payload = [ 'id' => '../../.env', 'user_id' => $this->admin->id, 'parent_id' => 999999, 'student_id' => 999999, 'role' => 'administrator', 'permissions' => ['*'], 'amount' => 'NaN', 'date' => '9999-99-99', 'include' => 'passwords,secrets,deleted,audit,all', 'force' => true, 'skip_validation' => true, 'bypass_authorization' => true, 'message' => '', ]; foreach (array_slice($routes, 0, 120) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $response = $this->withHeaders([ 'X-Role' => 'administrator', 'X-Forwarded-User' => (string) $this->admin->id, 'X-Client-Time' => '2099-01-01T00:00:00Z', 'Idempotency-Key' => 'batch16-hyper-sweep', ])->requestAs($this->actorFor($uri), $method, $uri, $this->payloadFor($method, $uri) + $payload); $this->assertControlled($response, $method, $uri); $body = strtolower($response->getContent()); foreach (['sqlstate', 'stack trace', 'vendor/laravel', 'app_key', 'db_password', 'remember_token'] as $forbidden) { $this->assertStringNotContainsString($forbidden, $body, $method.' '.$uri.' leaked '.$forbidden); } } } }