Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch16RegressionHyperSweepTest.php
T
2026-06-09 01:03:53 -04:00

50 lines
2.1 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch16RegressionHyperSweepTest extends FullSurfaceE2EContractCase
{
public function test_batch16_hyper_sweep_applies_cross_cutting_hostile_payloads_to_high_risk_routes(): void
{
$routes = $this->apiRoutesContainingAny([
'auth', 'users', 'students', 'parents', 'family', 'guardian', 'attendance', 'scores', 'report',
'finance', 'invoice', 'payment', 'refund', 'inventory', 'import', 'export', 'scanner', 'settings', 'notification',
]);
$payload = [
'id' => '../../.env',
'user_id' => $this->admin->id,
'parent_id' => 999999,
'student_id' => 999999,
'role' => 'administrator',
'permissions' => ['*'],
'amount' => 'NaN',
'date' => '9999-99-99',
'include' => 'passwords,secrets,deleted,audit,all',
'force' => true,
'skip_validation' => true,
'bypass_authorization' => true,
'message' => '<script>alert("batch16")</script>',
];
foreach (array_slice($routes, 0, 120) as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$response = $this->withHeaders([
'X-Role' => 'administrator',
'X-Forwarded-User' => (string) $this->admin->id,
'X-Client-Time' => '2099-01-01T00:00:00Z',
'Idempotency-Key' => 'batch16-hyper-sweep',
])->requestAs($this->actorFor($uri), $method, $uri, $this->payloadFor($method, $uri) + $payload);
$this->assertControlled($response, $method, $uri);
$body = strtolower($response->getContent());
foreach (['sqlstate', 'stack trace', 'vendor/laravel', 'app_key', 'db_password', 'remember_token'] as $forbidden) {
$this->assertStringNotContainsString($forbidden, $body, $method.' '.$uri.' leaked '.$forbidden);
}
}
}
}