56 lines
2.4 KiB
PHP
56 lines
2.4 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Illuminate\Http\UploadedFile;
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiAttachmentUploadContentSafetyContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_upload_endpoints_reject_executable_or_misleading_files_cleanly(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['upload', 'import', 'attachment', 'document', 'avatar', 'photo', 'file']);
|
|
|
|
$this->assertNotEmpty($routes, 'Upload-like routes should be covered by content safety tests.');
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
foreach (['file', 'attachment', 'document', 'import_file', 'avatar'] as $field) {
|
|
$payload = $this->payloadFor($method, $route->uri()) + [
|
|
$field => UploadedFile::fake()->create('malware.php', 4, 'application/x-php'),
|
|
];
|
|
|
|
$response = $this->actingAs($this->actorFor($route->uri()), 'api')
|
|
->json($method, $this->materializePath($route->uri()), $payload);
|
|
|
|
$this->assertStatusIn($response, [400, 403, 404, 409, 413, 415, 422], "{$method} {$route->uri()} should reject executable {$field}.");
|
|
$this->assertStringNotContainsString('<?php', $response->getContent());
|
|
}
|
|
}
|
|
}
|
|
|
|
public function test_download_and_file_response_routes_do_not_allow_path_traversal_parameters(): void
|
|
{
|
|
foreach ($this->apiRoutesContainingAny(['download', 'export', 'file', 'document', 'receipt', 'certificate']) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
|
|
if ($method !== 'GET') {
|
|
continue;
|
|
}
|
|
|
|
$path = $this->materializePath($route->uri()) . '?filename=../../.env&path=../../storage/logs/laravel.log';
|
|
$response = $this->actingAs($this->actorFor($route->uri()), 'api')->getJson($path);
|
|
|
|
$this->assertStatusIn($response, [200, 204, 400, 401, 403, 404, 409, 422], "GET {$route->uri()} path traversal probe");
|
|
$body = $response->getContent();
|
|
$this->assertStringNotContainsString('APP_KEY=', $body);
|
|
$this->assertStringNotContainsString('DB_PASSWORD=', $body);
|
|
}
|
|
}
|
|
}
|