Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch20RegressionContinuityComplianceSweepTest.php
T
2026-06-11 11:46:12 -04:00

60 lines
2.9 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch20RegressionContinuityComplianceSweepTest extends FullSurfaceE2EContractCase
{
public function test_batch20_continuity_compliance_and_export_sweep_stays_controlled(): void
{
$routes = $this->apiRoutesContainingAny([
'auth', 'users', 'students', 'parents', 'family', 'guardian', 'custody', 'privacy', 'retention',
'purge', 'archive', 'finance', 'cash', 'payments', 'receipt', 'invoice', 'tax', 'discount',
'scholarship', 'scores', 'grade', 'report-card', 'attendance', 'scanner', 'kiosk', 'badge',
'transport', 'pickup', 'emergency', 'broadcast', 'notification', 'email', 'whatsapp', 'webhook',
'audit', 'logs', 'export', 'download', 'class', 'waitlist', 'lottery', 'translation', 'locale',
'health', 'metrics', 'debug', 'analytics', 'dashboard', 'warehouse', 'settings',
]);
$payload = [
'scope' => 'all',
'include_pii' => true,
'include_tokens' => true,
'include_secrets' => true,
'fields' => 'password,remember_token,api_token,medical_notes,custody_order,db_password,app_key',
'force' => true,
'skip_authorization' => true,
'skip_validation' => true,
'override_balance' => true,
'amount' => '-999999999999.999',
'student_id' => 999999,
'parent_id' => 999999,
'approved_by' => 999999,
'verified_by' => 999999,
'signature' => 'forged',
'path' => '../../.env',
'destination_url' => 'http://169.254.169.254/latest/meta-data/',
'message' => '<script>alert("batch20")</script>',
'locale' => 'ar-EG<script>',
'translations' => ['en' => '<script>alert(1)</script>'],
];
foreach (array_slice($routes, 0, 180) as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$actor = str_contains($uri, 'admin') || str_contains($uri, 'audit') || str_contains($uri, 'logs') || str_contains($uri, 'settings')
? $this->studentUser
: $this->actorFor($uri);
$response = $this->requestAs($actor, $method, $uri, $this->payloadFor($method, $uri) + $payload);
$this->assertControlled($response, $method, $uri);
$body = strtolower($response->getContent());
foreach (['sqlstate', 'stack trace', 'app_key', 'db_password', 'remember_token', 'api_token', 'password_hash', 'massassignmentexception', 'database.sqlite', '169.254.169.254'] as $leak) {
$this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 20 continuity compliance sweep.');
}
}
}
}