44 lines
2.0 KiB
PHP
44 lines
2.0 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch12SensitiveConfigurationExposureContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_configuration_and_bootstrap_responses_do_not_expose_secrets(): void
|
|
{
|
|
$routes = array_slice($this->apiRoutesContainingAny(['settings', 'configuration', 'config', 'frontend', 'bootstrap', 'env', 'health', 'debug']), 0, 120);
|
|
$forbidden = ['APP_KEY', 'DB_PASSWORD', 'MAIL_PASSWORD', 'STRIPE_SECRET', 'PAYPAL_SECRET', 'JWT_SECRET', 'SANCTUM', 'password_hash', 'remember_token'];
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if ($method !== 'GET') {
|
|
continue;
|
|
}
|
|
|
|
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri());
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
$this->assertNoServerError($response, 'secret exposure probe '.$route->uri());
|
|
|
|
$body = $response->getContent();
|
|
foreach ($forbidden as $needle) {
|
|
$this->assertStringNotContainsString($needle, $body, $route->uri().' must not expose '.$needle);
|
|
}
|
|
}
|
|
}
|
|
|
|
public function test_low_privilege_users_cannot_read_sensitive_configuration_domains(): void
|
|
{
|
|
$routes = array_slice($this->apiRoutesContainingAny(['settings', 'configuration', 'config', 'permissions']), 0, 100);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$response = $this->requestAs($this->studentUser, $method, $route->uri(), $this->payloadFor($method, $route->uri()));
|
|
|
|
$this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], 'student must not read/mutate sensitive configuration '.$method.' '.$route->uri());
|
|
$this->assertNoServerError($response, 'student configuration probe '.$method.' '.$route->uri());
|
|
}
|
|
}
|
|
}
|