26 lines
1.2 KiB
PHP
26 lines
1.2 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiOperationalEndpointExposureContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_operational_debug_and_maintenance_routes_are_not_publicly_exposed_with_sensitive_data(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['debug', 'health', 'db-check', 'metrics', 'logs', 'cache', 'queue', 'maintenance', 'telescope', 'horizon']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
$response = $this->json($method, $this->materializePath($uri), $this->payloadFor($method, $uri));
|
|
|
|
$this->assertControlled($response, $method, $uri);
|
|
$this->assertNoServerError($response, 'operational endpoint exposure at '.$method.' '.$uri);
|
|
$this->assertStringNotContainsStringIgnoringCase('APP_KEY', $response->getContent());
|
|
$this->assertStringNotContainsStringIgnoringCase('DB_PASSWORD', $response->getContent());
|
|
$this->assertStringNotContainsStringIgnoringCase('AWS_SECRET', $response->getContent());
|
|
}
|
|
}
|
|
}
|