Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiAttachmentUploadContentSafetyContractTest.php
2026-06-11 11:46:12 -04:00

56 lines
2.4 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Illuminate\Http\UploadedFile;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiAttachmentUploadContentSafetyContractTest extends FullSurfaceE2EContractCase
{
public function test_upload_endpoints_reject_executable_or_misleading_files_cleanly(): void
{
$routes = $this->apiRoutesContainingAny(['upload', 'import', 'attachment', 'document', 'avatar', 'photo', 'file']);
$this->assertNotEmpty($routes, 'Upload-like routes should be covered by content safety tests.');
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
foreach (['file', 'attachment', 'document', 'import_file', 'avatar'] as $field) {
$payload = $this->payloadFor($method, $route->uri()) + [
$field => UploadedFile::fake()->create('malware.php', 4, 'application/x-php'),
];
$response = $this->actingAs($this->actorFor($route->uri()), 'api')
->json($method, $this->materializePath($route->uri()), $payload);
$this->assertStatusIn($response, [400, 403, 404, 409, 413, 415, 422], "{$method} {$route->uri()} should reject executable {$field}.");
$this->assertStringNotContainsString('<?php', $response->getContent());
}
}
}
public function test_download_and_file_response_routes_do_not_allow_path_traversal_parameters(): void
{
foreach ($this->apiRoutesContainingAny(['download', 'export', 'file', 'document', 'receipt', 'certificate']) as $route) {
$method = $this->primaryMethod($route);
if ($method !== 'GET') {
continue;
}
$path = $this->materializePath($route->uri()).'?filename=../../.env&path=../../storage/logs/laravel.log';
$response = $this->actingAs($this->actorFor($route->uri()), 'api')->getJson($path);
$this->assertStatusIn($response, [200, 204, 400, 401, 403, 404, 409, 422], "GET {$route->uri()} path traversal probe");
$body = $response->getContent();
$this->assertStringNotContainsString('APP_KEY=', $body);
$this->assertStringNotContainsString('DB_PASSWORD=', $body);
}
}
}