apiRoutesContainingAny(['notification', 'email', 'whatsapp', 'sms', 'message', 'broadcast', 'contact', 'support', 'template']); $payload = [ 'channel' => 'all', 'ignore_opt_out' => true, 'bypass_quiet_hours' => true, 'consent_revoked' => false, 'unsubscribe_token' => 'forged-token', 'force_send' => true, 'reply_to' => 'attacker@example.test\r\nBcc: all@example.test', ]; foreach (array_slice($routes, 0, 100) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $actor = $this->actorFor($uri); if (str_contains($uri, 'admin') || str_contains($uri, 'roles') || str_contains($uri, 'permissions')) { $actor = $this->studentUser; } $response = $this->requestAs($actor, $method, $uri, $this->payloadFor($method, $uri) + $payload); $this->assertControlled($response, $method, $uri); $this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' crashed during Batch 18 consent revocation and communication compliance probe.'); $body = strtolower($response->getContent()); foreach (['sqlstate', 'stack trace', 'app_key', 'remember_token', 'api_token', 'massassignmentexception', 'foreign key constraint'] as $leak) { $this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 18 consent revocation and communication compliance probe.'); } } } }