fix: FeatureTestTrait::withRoutes() may throw all sorts of errors on invalid HTTP methods (#10004)

* add failing test

* add fix and changelog

Author: paulbalandan

system/HTTP/Method.php

@@ -102,7 +102,7 @@ class Method
     /**
      * Returns all HTTP methods.
      *
-     * @return list<string>
+     * @return list<uppercase-string>
      */
     public static function all(): array
     {

system/Test/FeatureTestTrait.php

@@ -15,6 +15,7 @@
 
 use Closure;
 use CodeIgniter\Events\Events;
+use CodeIgniter\Exceptions\RuntimeException;
 use CodeIgniter\HTTP\Exceptions\RedirectException;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\Method;
@@ -76,11 +77,16 @@ protected function withRoutes(?array $routes = null)
                     );
                 }
 
-                /**
-                 * @TODO For backward compatibility. Remove strtolower() in the future.
-                 * @deprecated 4.5.0
-                 */
-                $method = strtolower($route[0]);
+                // @todo v4.7.1 Remove the strtoupper() and use 'add' in v4.8.0
+                if (! in_array(strtoupper($route[0]), ['ADD', 'CLI', ...Method::all()], true)) {
+                    throw new RuntimeException(sprintf(
+                        'Invalid HTTP method "%s" provided for route "%s".',
+                        $route[0],
+                        $route[1],
+                    ));
+                }
+
+                $method = strtolower($route[0]); // convert to method of RouteCollection
 
                 if (isset($route[3])) {
                     $collection->{$method}($route[1], $route[2], $route[3]);

tests/system/Test/FeatureTestTraitTest.php

@@ -16,6 +16,7 @@
 use CodeIgniter\Config\Factories;
 use CodeIgniter\Events\Events;
 use CodeIgniter\Exceptions\PageNotFoundException;
+use CodeIgniter\Exceptions\RuntimeException;
 use CodeIgniter\HTTP\Method;
 use CodeIgniter\HTTP\Response;
 use CodeIgniter\Test\Mock\MockCodeIgniter;
@@ -689,4 +690,33 @@ public function testForceGlobalSecureRequests(): void
         // Do not redirect.
         $response->assertStatus(200);
     }
+
+    #[DataProvider('provideWithRoutesWithInvalidMethod')]
+    public function testWithRoutesWithInvalidMethod(string $method): void
+    {
+        $this->expectException(RuntimeException::class);
+        $this->expectExceptionMessage(sprintf('Invalid HTTP method "%s" provided for route "home".', $method));
+
+        $this->withRoutes([
+            [
+                $method,
+                'home',
+                static fn (): string => 'Hello World',
+            ],
+        ]);
+    }
+
+    /**
+     * @return iterable<string, array{0: string}>
+     */
+    public static function provideWithRoutesWithInvalidMethod(): iterable
+    {
+        foreach (['ADD', 'CLI', ...Method::all()] as $method) {
+            yield "wrong {$method}" => [$method . 'S'];
+        }
+
+        yield 'route collection addRedirect' => ['addRedirect'];
+
+        yield 'route collection setHTTPVerb' => ['setHTTPVerb'];
+    }
 }

user_guide_src/source/changelogs/v4.7.1.rst

@@ -57,6 +57,7 @@ Bugs Fixed
 - **Session:** Fixed a bug in ``MemcachedHandler`` where the constructor incorrectly threw an exception when ``savePath`` was not empty.
 - **Toolbar:** Fixed a bug where the standalone toolbar page loaded from ``?debugbar_time=...`` was not interactive.
 - **Toolbar:** Fixed a bug in the Routes panel where only the first route parameter was converted to an input field on hover.
+- **Testing:** Fixed a bug in ``FeatureTestTrait::withRoutes()`` where invalid HTTP methods were not properly validated, thus passing them all to ``RouteCollection``.
 - **View:** Fixed a bug where ``View`` would throw an error if the ``appOverridesFolder`` config property was not defined.
 
 See the repo's