apiRoutesContainingAny([ 'auth', 'users', 'roles', 'permissions', 'students', 'parents', 'family', 'attendance', 'scores', 'report-card', 'finance', 'invoice', 'payment', 'inventory', 'import', 'export', 'webhook', 'settings', 'messages', ]), 0, 220); foreach ($routes as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'scope' => 'all', 'force' => true, 'is_admin' => true, 'role' => 'administrator', 'student_id' => $this->ids['invoiceId'], 'invoice_id' => $this->ids['studentId'], 'amount' => '1e309', 'status' => '', 'return_url' => 'https://evil.example/after-login', 'callback_url' => 'http://169.254.169.254/latest/meta-data/', 'fields' => ['*', 'password', 'remember_token'], ]; $this->actingAs($this->actorFor($uri), 'api'); $response = $this->withHeaders([ 'Accept' => 'application/json', 'X-Admin' => '1', 'X-Original-Method' => 'DELETE', 'Idempotency-Key' => 'batch-12-combined-regression', ])->json($method, $this->materializePath($uri), $payload); $this->assertControlled($response, $method, $uri); $this->assertNoServerError($response, 'batch 12 combined regression '.$method.' '.$uri); $body = $response->getContent(); $this->assertStringNotContainsString('SQLSTATE', $body, 'batch 12 response leaked SQL at '.$uri); $this->assertStringNotContainsString('APP_KEY', $body, 'batch 12 response leaked env at '.$uri); $this->assertStringNotContainsString('remember_token', strtolower($body), 'batch 12 response leaked auth internals at '.$uri); } } }