apiRoutesContainingAny([ 'auth', 'users', 'roles', 'permissions', 'students', 'parents', 'family', 'guardian', 'attendance', 'incident', 'scores', 'grading', 'report', 'finance', 'payments', 'refund', 'inventory', 'classes', 'calendar', 'messages', 'notification', 'export', 'upload', 'webhook', 'settings', 'audit', 'logs', 'feature', 'license', ]); $payload = [ 'id' => 999999, 'role' => 'administrator', 'permissions' => ['*'], 'student_id' => 999999, 'parent_id' => 999999, 'include_deleted' => true, 'all_school' => true, 'force' => true, 'skip_validation' => true, 'amount' => '-999999999999.999', 'date' => '2099-99-99', 'timezone' => 'Bad/Zone', 'message' => '', 'file' => '../../.env', 'redirect' => 'https://evil.example.test', 'callback_url' => 'http://169.254.169.254/latest/meta-data/', 'audit_id' => 'client-forged', 'watermark' => '', ]; foreach (array_slice($routes, 0, 140) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $response = $this->requestAs($this->actorFor($uri), $method, $uri, $this->payloadFor($method, $uri) + $payload); $this->assertControlled($response, $method, $uri); $body = strtolower($response->getContent()); foreach (['sqlstate', 'stack trace', 'app_key', 'remember_token', 'massassignmentexception'] as $leak) { $this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 18 regression sweep.'); } } } }