57 lines
2.6 KiB
PHP
57 lines
2.6 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch19RegressionContinuitySweepTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_batch19_continuity_and_privacy_sweep_stays_controlled(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny([
|
|
'auth', 'users', 'roles', 'permissions', 'students', 'parents', 'family', 'guardian',
|
|
'attendance', 'excuse', 'dismissal', 'teacher', 'classes', 'transfer', 'scores', 'report',
|
|
'finance', 'payments', 'refunds', 'invoices', 'ledger', 'inventory', 'messages', 'notification',
|
|
'email', 'webhook', 'sync', 'import', 'export', 'download', 'file', 'dashboard', 'backup',
|
|
'restore', 'settings', 'audit', 'logs',
|
|
]);
|
|
|
|
$payload = [
|
|
'scope' => 'all',
|
|
'all_school' => true,
|
|
'policy_context' => ['is_admin' => true],
|
|
'include' => 'password,remember_token,api_token,medical_notes,custody_order,raw_provider_response',
|
|
'fields' => 'id,email,phone,password,remember_token,api_token,medical_notes',
|
|
'student_id' => 999999,
|
|
'parent_id' => 999999,
|
|
'invoice_id' => 999999,
|
|
'amount' => '-999999999999.999',
|
|
'approved_by' => 999999,
|
|
'force' => true,
|
|
'skip_authorization' => true,
|
|
'skip_validation' => true,
|
|
'signature' => 'forged',
|
|
'path' => '../../.env',
|
|
'temporary_url' => 'https://evil.example.test/file',
|
|
'callback_url' => 'http://169.254.169.254/latest/meta-data/',
|
|
'message' => '<script>alert("batch19")</script>',
|
|
];
|
|
|
|
foreach (array_slice($routes, 0, 160) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
$actor = str_contains($uri, 'admin') || str_contains($uri, 'backup') || str_contains($uri, 'restore')
|
|
? $this->studentUser
|
|
: $this->actorFor($uri);
|
|
|
|
$response = $this->requestAs($actor, $method, $uri, $this->payloadFor($method, $uri) + $payload);
|
|
|
|
$this->assertControlled($response, $method, $uri);
|
|
$body = strtolower($response->getContent());
|
|
foreach (['sqlstate', 'stack trace', 'app_key', 'remember_token', 'massassignmentexception', 'database.sqlite', 'raw_provider_response'] as $leak) {
|
|
$this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 19 continuity sweep.');
|
|
}
|
|
}
|
|
}
|
|
}
|