@fourlights/strapi-plugin-deep-populate 1.9.0 → 1.9.1

package/dist/server/index.js

@@ -18551,6 +18551,20 @@ const cache = ({ strapi: strapi2 }) => ({
     }
   }
 });
+const sanitizeObject = (obj) => {
+  if (obj === null || typeof obj !== "object") return obj;
+  const dangerousProps = ["__proto__", "constructor", "prototype"];
+  const sanitized = {};
+  for (const key in obj) {
+    if (dangerousProps.includes(key)) continue;
+    if (typeof obj[key] === "object" && ___default.isNil(obj[key])) {
+      sanitized[key] = sanitizeObject(obj[key]);
+    } else {
+      sanitized[key] = obj[key];
+    }
+  }
+  return sanitized;
+};
 const getRelations = (model) => {
   const filteredAttributes = /* @__PURE__ */ new Set();
   const { populateCreatorFields } = getOptions(model);
@@ -18619,7 +18633,7 @@ async function _populateDynamicZone({
       ...params
     });
     const currentPopulate = get__default.default(resolvedPopulate, [component]);
-    const mergedComponentPopulate = !currentPopulate && componentPopulate === true ? componentPopulate : merge__default.default({}, currentPopulate, componentPopulate);
+    const mergedComponentPopulate = !currentPopulate && componentPopulate === true ? componentPopulate : merge__default.default({}, currentPopulate, sanitizeObject(componentPopulate));
     set__default.default(resolvedPopulate, [component], mergedComponentPopulate);
   }
   if (isEmpty(resolvedPopulate)) return void 0;
@@ -18652,7 +18666,7 @@ async function _populateRelation({
   }
   const newPopulate = {};
   for (const { documentId } of relations) {
-    const relationPopulate = resolvedRelations.get(documentId);
+    const relationPopulate = sanitizeObject(resolvedRelations.get(documentId));
     mergeWith__default.default(newPopulate, relationPopulate, (existing, proposed) => {
       if (proposed === true && existing) return existing;
       return void 0;
@@ -18823,7 +18837,7 @@ async function populate$1(params) {
   const { omitEmpty, localizations, contentTypes: contentTypes2 } = strapi.config.get("plugin::deep-populate");
   const contentTypeConfig = has__default.default(contentTypes2, "*") ? get__default.default(contentTypes2, "*") : {};
   if (has__default.default(contentTypes2, params.contentType)) {
-    mergeWith__default.default(contentTypeConfig, get__default.default(contentTypes2, params.contentType));
+    mergeWith__default.default(contentTypeConfig, sanitizeObject(get__default.default(contentTypes2, params.contentType)));
   }
   const { allow, deny } = contentTypeConfig;
   const resolvedRelations = /* @__PURE__ */ new Map();

package/dist/server/index.mjs

@@ -1,6 +1,6 @@
 import isEmpty$1 from "lodash/isEmpty";
 import isObject$2 from "lodash/isObject";
-import ___default from "lodash";
+import ___default, { isNil as isNil$1 } from "lodash";
 import { union as union$1, getOr, curry, isObject as isObject$3, isNil, clone as clone$2, isArray, pick as pick$1, isEmpty as isEmpty$2, cloneDeep, omit as omit$1, isString, trim as trim$1, pipe as pipe$2, split, map as map$2, flatten, first, constant, identity, join, eq, get } from "lodash/fp";
 import require$$1 from "crypto";
 import require$$0$1 from "child_process";
@@ -18524,6 +18524,20 @@ const cache = ({ strapi: strapi2 }) => ({
     }
   }
 });
+const sanitizeObject = (obj) => {
+  if (obj === null || typeof obj !== "object") return obj;
+  const dangerousProps = ["__proto__", "constructor", "prototype"];
+  const sanitized = {};
+  for (const key in obj) {
+    if (dangerousProps.includes(key)) continue;
+    if (typeof obj[key] === "object" && isNil$1(obj[key])) {
+      sanitized[key] = sanitizeObject(obj[key]);
+    } else {
+      sanitized[key] = obj[key];
+    }
+  }
+  return sanitized;
+};
 const getRelations = (model) => {
   const filteredAttributes = /* @__PURE__ */ new Set();
   const { populateCreatorFields } = getOptions(model);
@@ -18592,7 +18606,7 @@ async function _populateDynamicZone({
       ...params
     });
     const currentPopulate = get$1(resolvedPopulate, [component]);
-    const mergedComponentPopulate = !currentPopulate && componentPopulate === true ? componentPopulate : merge$2({}, currentPopulate, componentPopulate);
+    const mergedComponentPopulate = !currentPopulate && componentPopulate === true ? componentPopulate : merge$2({}, currentPopulate, sanitizeObject(componentPopulate));
     set$2(resolvedPopulate, [component], mergedComponentPopulate);
   }
   if (isEmpty(resolvedPopulate)) return void 0;
@@ -18625,7 +18639,7 @@ async function _populateRelation({
   }
   const newPopulate = {};
   for (const { documentId } of relations) {
-    const relationPopulate = resolvedRelations.get(documentId);
+    const relationPopulate = sanitizeObject(resolvedRelations.get(documentId));
     mergeWith(newPopulate, relationPopulate, (existing, proposed) => {
       if (proposed === true && existing) return existing;
       return void 0;
@@ -18796,7 +18810,7 @@ async function populate$1(params) {
   const { omitEmpty, localizations, contentTypes: contentTypes2 } = strapi.config.get("plugin::deep-populate");
   const contentTypeConfig = has(contentTypes2, "*") ? get$1(contentTypes2, "*") : {};
   if (has(contentTypes2, params.contentType)) {
-    mergeWith(contentTypeConfig, get$1(contentTypes2, params.contentType));
+    mergeWith(contentTypeConfig, sanitizeObject(get$1(contentTypes2, params.contentType)));
   }
   const { allow, deny } = contentTypeConfig;
   const resolvedRelations = /* @__PURE__ */ new Map();

package/dist/server/src/utils/sanitizeObject.d.ts

@@ -0,0 +1 @@
+export declare const sanitizeObject: (obj: unknown) => unknown;

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.9.0",
+  "version": "1.9.1",
   "keywords": [
     "strapi",
     "strapi-plugin",