apiRoutesContainingAny(['upload', 'import', 'attachment', 'document', 'avatar', 'photo', 'file']); $this->assertNotEmpty($routes, 'Upload-like routes should be covered by content safety tests.'); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } foreach (['file', 'attachment', 'document', 'import_file', 'avatar'] as $field) { $payload = $this->payloadFor($method, $route->uri()) + [ $field => UploadedFile::fake()->create('malware.php', 4, 'application/x-php'), ]; $response = $this->actingAs($this->actorFor($route->uri()), 'api') ->json($method, $this->materializePath($route->uri()), $payload); $this->assertStatusIn($response, [400, 403, 404, 409, 413, 415, 422], "{$method} {$route->uri()} should reject executable {$field}."); $this->assertStringNotContainsString('getContent()); } } } public function test_download_and_file_response_routes_do_not_allow_path_traversal_parameters(): void { foreach ($this->apiRoutesContainingAny(['download', 'export', 'file', 'document', 'receipt', 'certificate']) as $route) { $method = $this->primaryMethod($route); if ($method !== 'GET') { continue; } $path = $this->materializePath($route->uri()) . '?filename=../../.env&path=../../storage/logs/laravel.log'; $response = $this->actingAs($this->actorFor($route->uri()), 'api')->getJson($path); $this->assertStatusIn($response, [200, 204, 400, 401, 403, 404, 409, 422], "GET {$route->uri()} path traversal probe"); $body = $response->getContent(); $this->assertStringNotContainsString('APP_KEY=', $body); $this->assertStringNotContainsString('DB_PASSWORD=', $body); } } }