Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiFileMediaMetadataSafetyContractTest.php
T
root 8661615717
API CI/CD / Validate (composer + pint) (push) Successful in 2m46s
API CI/CD / Test (PHPUnit) (push) Failing after 3m3s
API CI/CD / Build frontend assets (push) Failing after 5m22s
API CI/CD / Security audit (push) Failing after 34s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
Update PHPUnit test metadata attributes
2026-06-25 20:04:18 -04:00

59 lines
2.3 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Illuminate\Http\UploadedFile;
use PHPUnit\Framework\Attributes\Test;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiFileMediaMetadataSafetyContractTest extends FullSurfaceE2EContractCase
{
#[Test]
public function upload_routes_reject_misleading_metadata_and_path_names_cleanly(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['upload', 'import', 'document', 'attachment', 'file', 'photo', 'avatar']), 0, 80);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$payload = $this->payloadFor($method, $uri) + [
'file' => UploadedFile::fake()->create('../evil.php', 12, 'application/x-php'),
'filename' => '../storage/logs/laravel.log',
'original_name' => "invoice\0.pdf",
'mime_type' => 'image/png; charset=utf-8',
];
$response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload);
$this->assertControlled($response, $method, $uri);
$this->assertLessThan(500, $response->getStatusCode(), "$method $uri should handle misleading upload metadata without server errors.");
}
}
#[Test]
public function download_routes_do_not_accept_path_traversal_identifiers(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['download', 'export', 'file', 'attachment', 'receipt', 'certificate']), 0, 90);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$payload = $this->payloadFor($method, $uri) + [
'filename' => '../../.env',
'path' => '../../storage/logs/laravel.log',
'file' => '../../composer.json',
];
$response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload);
$this->assertControlled($response, $method, $uri);
$this->assertStringNotContainsString('APP_KEY=', $response->getContent(), "$method $uri must not leak environment files.");
}
}
}