@strapi/utils 4.9.0-alpha.0 → 4.9.0-beta.1

package/lib/content-types.js

@@ -99,8 +99,8 @@ const getPrivateAttributes = (model = {}) => {
   );
 };
 
-const isPrivateAttribute = (model = {}, attributeName) => {
-  return model && model.privateAttributes && model.privateAttributes.includes(attributeName);
+const isPrivateAttribute = (model, attributeName) => {
+  return model?.privateAttributes?.includes(attributeName) ?? false;
 };
 
 const isScalarAttribute = (attribute) => {

package/lib/convert-query-params.js

@@ -232,7 +232,8 @@ const convertPopulateObject = (populate, schema) => {
       isMediaAttribute(attribute) ||
       isMorphToRelationalAttribute(attribute);
 
-    const hasFragmentPopulateDefined = typeof subPopulate === 'object' && 'on' in subPopulate;
+    const hasFragmentPopulateDefined =
+      typeof subPopulate === 'object' && 'on' in subPopulate && !isNil(subPopulate.on);
 
     if (isAllowedAttributeForFragmentPopulate && hasFragmentPopulateDefined) {
       return {
@@ -418,7 +419,7 @@ const convertAndSanitizeFilters = (filters, schema) => {
 
   // Here, `key` can either be an operator or an attribute name
   for (const [key, value] of Object.entries(filters)) {
-    const attribute = get(key, schema.attributes);
+    const attribute = get(key, schema?.attributes);
 
     // Handle attributes
     if (attribute) {

package/lib/env-helper.js

@@ -71,6 +71,26 @@ const utils = {
     const value = process.env[key];
     return new Date(value);
   },
+
+  /**
+   * Gets a value from env that matches oneOf provided values
+   * @param {string} key
+   * @param {string[]} expectedValues
+   * @param {string|undefined} defaultValue
+   * @returns {string|undefined}
+   */
+  oneOf(key, expectedValues, defaultValue) {
+    if (!expectedValues) {
+      throw new Error(`env.oneOf requires expectedValues`);
+    }
+
+    if (defaultValue && !expectedValues.includes(defaultValue)) {
+      throw new Error(`env.oneOf requires defaultValue to be included in expectedValues`);
+    }
+
+    const rawValue = env(key, defaultValue);
+    return expectedValues.includes(rawValue) ? rawValue : defaultValue;
+  },
 };
 
 Object.assign(env, utils);

package/lib/index.js

@@ -42,6 +42,7 @@ const convertQueryParams = require('./convert-query-params');
 const importDefault = require('./import-default');
 const template = require('./template');
 const file = require('./file');
+const traverse = require('./traverse');
 
 module.exports = {
   yup,
@@ -91,4 +92,5 @@ module.exports = {
   convertQueryParams,
   importDefault,
   file,
+  traverse,
 };

package/lib/sanitize/index.js

@@ -1,60 +1,138 @@
 'use strict';
 
-const { isArray } = require('lodash/fp');
+const { isArray, cloneDeep } = require('lodash/fp');
 
-const traverseEntity = require('../traverse-entity');
 const { getNonWritableAttributes } = require('../content-types');
 const { pipeAsync } = require('../async');
 
 const visitors = require('./visitors');
 const sanitizers = require('./sanitizers');
+const traverseEntity = require('../traverse-entity');
+
+const { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } = require('../traverse');
+
+const createContentAPISanitizers = () => {
+  const sanitizeInput = (data, schema, { auth } = {}) => {
+    if (isArray(data)) {
+      return Promise.all(data.map((entry) => sanitizeInput(entry, schema, { auth })));
+    }
+
+    const nonWritableAttributes = getNonWritableAttributes(schema);
+
+    const transforms = [
+      // Remove non writable attributes
+      traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
+    ];
+
+    if (auth) {
+      // Remove restricted relations
+      transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+    }
+
+    // Apply sanitizers from registry if exists
+    strapi.sanitizers
+      .get('content-api.input')
+      .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+
+    return pipeAsync(...transforms)(data);
+  };
+
+  const sanitizeOuput = (data, schema, { auth } = {}) => {
+    if (isArray(data)) {
+      return Promise.all(data.map((entry) => sanitizeOuput(entry, schema, { auth })));
+    }
+
+    const transforms = [sanitizers.defaultSanitizeOutput(schema)];
+
+    if (auth) {
+      transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+    }
+
+    // Apply sanitizers from registry if exists
+    strapi.sanitizers
+      .get('content-api.output')
+      .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+
+    return pipeAsync(...transforms)(data);
+  };
+
+  const sanitizeQuery = async (query, schema, { auth } = {}) => {
+    const { filters, sort, fields, populate } = query;
+
+    const sanitizedQuery = cloneDeep(query);
+
+    if (filters) {
+      Object.assign(sanitizedQuery, { filters: await sanitizeFilters(filters, schema, { auth }) });
+    }
+
+    if (sort) {
+      Object.assign(sanitizedQuery, { sort: await sanitizeSort(sort, schema, { auth }) });
+    }
+
+    if (fields) {
+      Object.assign(sanitizedQuery, { fields: await sanitizeFields(fields, schema) });
+    }
+
+    if (populate) {
+      Object.assign(sanitizedQuery, { populate: await sanitizePopulate(populate, schema) });
+    }
+
+    return sanitizedQuery;
+  };
+
+  const sanitizeFilters = (filters, schema, { auth } = {}) => {
+    if (isArray(filters)) {
+      return Promise.all(filters.map((filter) => sanitizeFilters(filter, schema, { auth })));
+    }
+
+    const transforms = [sanitizers.defaultSanitizeFilters(schema)];
+
+    if (auth) {
+      transforms.push(traverseQueryFilters(visitors.removeRestrictedRelations(auth), { schema }));
+    }
+
+    return pipeAsync(...transforms)(filters);
+  };
+
+  const sanitizeSort = (sort, schema, { auth } = {}) => {
+    const transforms = [sanitizers.defaultSanitizeSort(schema)];
+
+    if (auth) {
+      transforms.push(traverseQuerySort(visitors.removeRestrictedRelations(auth), { schema }));
+    }
+
+    return pipeAsync(...transforms)(sort);
+  };
+
+  const sanitizeFields = (fields, schema) => {
+    const transforms = [sanitizers.defaultSanitizeFields(schema)];
+
+    return pipeAsync(...transforms)(fields);
+  };
+
+  const sanitizePopulate = (populate, schema, { auth } = {}) => {
+    const transforms = [sanitizers.defaultSanitizePopulate(schema)];
+
+    if (auth) {
+      transforms.push(traverseQueryPopulate(visitors.removeRestrictedRelations(auth), { schema }));
+    }
+
+    return pipeAsync(...transforms)(populate);
+  };
+
+  return {
+    input: sanitizeInput,
+    output: sanitizeOuput,
+    query: sanitizeQuery,
+    filters: sanitizeFilters,
+    sort: sanitizeSort,
+    fields: sanitizeFields,
+    populate: sanitizePopulate,
+  };
+};
 
 module.exports = {
-  contentAPI: {
-    input(data, schema, { auth } = {}) {
-      if (isArray(data)) {
-        return Promise.all(data.map((entry) => this.input(entry, schema, { auth })));
-      }
-
-      const nonWritableAttributes = getNonWritableAttributes(schema);
-
-      const transforms = [
-        // Remove non writable attributes
-        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
-      ];
-
-      if (auth) {
-        // Remove restricted relations
-        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
-      }
-
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.input')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
-
-      return pipeAsync(...transforms)(data);
-    },
-
-    output(data, schema, { auth } = {}) {
-      if (isArray(data)) {
-        return Promise.all(data.map((entry) => this.output(entry, schema, { auth })));
-      }
-
-      const transforms = [sanitizers.defaultSanitizeOutput(schema)];
-
-      if (auth) {
-        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
-      }
-
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.output')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
-
-      return pipeAsync(...transforms)(data);
-    },
-  },
+  contentAPI: createContentAPISanitizers(),
 
   sanitizers,
   visitors,

package/lib/sanitize/sanitizers.js

@@ -1,11 +1,24 @@
 'use strict';
 
-const { curry } = require('lodash/fp');
+const { curry, isEmpty, isNil, isArray, isObject } = require('lodash/fp');
 
 const { pipeAsync } = require('../async');
 const traverseEntity = require('../traverse-entity');
+const { isScalarAttribute } = require('../content-types');
 
-const { removePassword, removePrivate } = require('./visitors');
+const {
+  traverseQueryFilters,
+  traverseQuerySort,
+  traverseQueryPopulate,
+  traverseQueryFields,
+} = require('../traverse');
+
+const {
+  removePassword,
+  removePrivate,
+  removeDynamicZones,
+  removeMorphToRelations,
+} = require('./visitors');
 
 const sanitizePasswords = curry((schema, entity) => {
   return traverseEntity(removePassword, { schema }, entity);
@@ -19,8 +32,118 @@ const defaultSanitizeOutput = curry((schema, entity) => {
   return pipeAsync(sanitizePrivates(schema), sanitizePasswords(schema))(entity);
 });
 
+const defaultSanitizeFilters = curry((schema, filters) => {
+  return pipeAsync(
+    // Remove dynamic zones from filters
+    traverseQueryFilters(removeDynamicZones, { schema }),
+    // Remove morpTo relations from filters
+    traverseQueryFilters(removeMorphToRelations, { schema }),
+    // Remove passwords from filters
+    traverseQueryFilters(removePassword, { schema }),
+    // Remove private from filters
+    traverseQueryFilters(removePrivate, { schema }),
+    // Remove empty objects
+    traverseQueryFilters(
+      ({ key, value }, { remove }) => {
+        if (isObject(value) && isEmpty(value)) {
+          remove(key);
+        }
+      },
+      { schema }
+    )
+  )(filters);
+});
+
+const defaultSanitizeSort = curry((schema, sort) => {
+  return pipeAsync(
+    // Remove non attribute keys
+    traverseQuerySort(
+      ({ key, attribute }, { remove }) => {
+        // ID is not an attribute per se, so we need to make
+        // an extra check to ensure we're not removing it
+        if (key === 'id') {
+          return;
+        }
+
+        if (!attribute) {
+          remove(key);
+        }
+      },
+      { schema }
+    ),
+    // Remove dynamic zones from sort
+    traverseQuerySort(removeDynamicZones, { schema }),
+    // Remove morpTo relations from sort
+    traverseQuerySort(removeMorphToRelations, { schema }),
+    // Remove private from sort
+    traverseQuerySort(removePrivate, { schema }),
+    // Remove passwords from filters
+    traverseQuerySort(removePassword, { schema }),
+    // Remove keys for empty non-scalar values
+    traverseQuerySort(
+      ({ key, attribute, value }, { remove }) => {
+        if (!isScalarAttribute(attribute) && isEmpty(value)) {
+          remove(key);
+        }
+      },
+      { schema }
+    )
+  )(sort);
+});
+
+const defaultSanitizeFields = curry((schema, fields) => {
+  return pipeAsync(
+    // Only keep scalar attributes
+    traverseQueryFields(
+      ({ key, attribute }, { remove }) => {
+        if (isNil(attribute) || !isScalarAttribute(attribute)) {
+          remove(key);
+        }
+      },
+      { schema }
+    ),
+    // Remove private fields
+    traverseQueryFields(removePrivate, { schema }),
+    // Remove password fields
+    traverseQueryFields(removePassword, { schema }),
+    // Remove nil values from fields array
+    (value) => (isArray(value) ? value.filter((field) => !isNil(field)) : value)
+  )(fields);
+});
+
+const defaultSanitizePopulate = curry((schema, populate) => {
+  return pipeAsync(
+    traverseQueryPopulate(
+      async ({ key, value, schema, attribute }, { set }) => {
+        if (attribute) {
+          return;
+        }
+
+        if (key === 'sort') {
+          set(key, await defaultSanitizeSort(schema, value));
+        }
+
+        if (key === 'filters') {
+          set(key, await defaultSanitizeFilters(schema, value));
+        }
+
+        if (key === 'fields') {
+          set(key, await defaultSanitizeFields(schema, value));
+        }
+      },
+      { schema }
+    ),
+    // Remove private fields
+    traverseQueryPopulate(removePrivate, { schema })
+  )(populate);
+});
+
 module.exports = {
   sanitizePasswords,
   sanitizePrivates,
   defaultSanitizeOutput,
+  defaultSanitizeFilters,
+  defaultSanitizeSort,
+  defaultSanitizeFields,
+  defaultSanitizePopulate,
 };

package/lib/sanitize/visitors/allowed-fields.js

@@ -1,10 +1,10 @@
 'use strict';
 
-const { isArray, toPath } = require('lodash/fp');
+const { isArray, isNil, toPath } = require('lodash/fp');
 
 module.exports =
   (allowedFields = null) =>
-  ({ key, path }, { remove }) => {
+  ({ key, path: { attribute: path } }, { remove }) => {
     // All fields are allowed
     if (allowedFields === null) {
       return;
@@ -15,6 +15,10 @@ module.exports =
       return;
     }
 
+    if (isNil(path)) {
+      return;
+    }
+
     const containedPaths = getContainedPaths(path);
 
     /**

package/lib/sanitize/visitors/index.js

@@ -4,6 +4,8 @@ module.exports = {
   removePassword: require('./remove-password'),
   removePrivate: require('./remove-private'),
   removeRestrictedRelations: require('./remove-restricted-relations'),
+  removeMorphToRelations: require('./remove-morph-to-relations'),
+  removeDynamicZones: require('./remove-dynamic-zones'),
   allowedFields: require('./allowed-fields'),
   restrictedFields: require('./restricted-fields'),
 };

package/lib/sanitize/visitors/remove-dynamic-zones.js

@@ -0,0 +1,9 @@
+'use strict';
+
+const { isDynamicZoneAttribute } = require('../../content-types');
+
+module.exports = ({ key, attribute }, { remove }) => {
+  if (isDynamicZoneAttribute(attribute)) {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-morph-to-relations.js

@@ -0,0 +1,9 @@
+'use strict';
+
+const { isMorphToRelationalAttribute } = require('../../content-types');
+
+module.exports = ({ key, attribute }, { remove }) => {
+  if (isMorphToRelationalAttribute(attribute)) {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-password.js

@@ -1,7 +1,7 @@
 'use strict';
 
 module.exports = ({ key, attribute }, { remove }) => {
-  if (attribute.type === 'password') {
+  if (attribute?.type === 'password') {
     remove(key);
   }
 };

package/lib/sanitize/visitors/remove-private.js

@@ -2,8 +2,12 @@
 
 const { isPrivateAttribute } = require('../../content-types');
 
-module.exports = ({ schema, key }, { remove }) => {
-  const isPrivate = isPrivateAttribute(schema, key);
+module.exports = ({ schema, key, attribute }, { remove }) => {
+  if (!attribute) {
+    return;
+  }
+
+  const isPrivate = isPrivateAttribute(schema, key) || attribute.private === true;
 
   if (isPrivate) {
     remove(key);

package/lib/sanitize/visitors/remove-restricted-relations.js

@@ -7,6 +7,10 @@ const { CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE } = require('../../content-ty
 module.exports =
   (auth) =>
   async ({ data, key, attribute, schema }, { remove, set }) => {
+    if (!attribute) {
+      return;
+    }
+
     const isRelation = attribute.type === 'relation';
 
     if (!isRelation) {

package/lib/sanitize/visitors/restricted-fields.js

@@ -4,7 +4,7 @@ const { isArray } = require('lodash/fp');
 
 module.exports =
   (restrictedFields = null) =>
-  ({ key, path }, { remove }) => {
+  ({ key, path: { attribute: path } }, { remove }) => {
     // Remove all fields
     if (restrictedFields === null) {
       remove(key);

package/lib/traverse/factory.js

@@ -0,0 +1,157 @@
+'use strict';
+
+const { isNil, pick } = require('lodash/fp');
+
+module.exports = () => {
+  const state = {
+    parsers: [],
+    interceptors: [],
+    ignore: [],
+    handlers: {
+      attributes: [],
+      common: [],
+    },
+  };
+
+  const traverse = async (visitor, options, data) => {
+    const { path = { raw: null, attribute: null }, schema } = options ?? {};
+
+    // interceptors
+    for (const { predicate, handler } of state.interceptors) {
+      if (predicate(data)) {
+        return handler(visitor, options, data, { recurse: traverse });
+      }
+    }
+
+    // parsers
+    const parser = state.parsers.find((parser) => parser.predicate(data))?.parser;
+    const utils = parser?.(data);
+
+    // Return the data untouched if we don't know how to traverse it
+    if (!utils) {
+      return data;
+    }
+
+    // main loop
+    let out = utils.transform(data);
+    const keys = utils.keys(out);
+
+    for (const key of keys) {
+      const attribute =
+        schema?.attributes?.[key] ??
+        // FIX: Needed to not break existing behavior on the API.
+        //      It looks for the attribute in the DB metadata when the key is in snake_case
+        schema?.attributes?.[strapi.db.metadata.get(schema?.uid).columnToAttribute[key]];
+
+      const newPath = { ...path };
+
+      newPath.raw = isNil(path.raw) ? key : `${path.raw}.${key}`;
+
+      if (!isNil(attribute)) {
+        newPath.attribute = isNil(path.attribute) ? key : `${path.attribute}.${key}`;
+      }
+
+      // visitors
+
+      const visitorOptions = {
+        key,
+        value: utils.get(key, out),
+        attribute,
+        schema,
+        path: newPath,
+        data: out,
+      };
+
+      const transformUtils = {
+        remove(key) {
+          out = utils.remove(key, out);
+        },
+        set(key, value) {
+          out = utils.set(key, value, out);
+        },
+        recurse: traverse,
+      };
+
+      await visitor(visitorOptions, pick(['remove', 'set'], transformUtils));
+
+      const value = utils.get(key, out);
+
+      const createContext = () => ({
+        key,
+        value,
+        attribute,
+        schema,
+        path: newPath,
+        data: out,
+        visitor,
+      });
+
+      // ignore
+      const ignoreCtx = createContext();
+      const shouldIgnore = state.ignore.some((predicate) => predicate(ignoreCtx));
+
+      if (shouldIgnore) {
+        continue;
+      }
+
+      // handlers
+      const handlers = [...state.handlers.common, ...state.handlers.attributes];
+
+      for await (const handler of handlers) {
+        const ctx = createContext();
+        const pass = await handler.predicate(ctx);
+
+        if (pass) {
+          await handler.handler(ctx, pick(['recurse', 'set'], transformUtils));
+        }
+      }
+    }
+
+    return out;
+  };
+
+  return {
+    traverse,
+
+    intercept(predicate, handler) {
+      state.interceptors.push({ predicate, handler });
+      return this;
+    },
+
+    parse(predicate, parser) {
+      state.parsers.push({ predicate, parser });
+      return this;
+    },
+
+    ignore(predicate) {
+      state.ignore.push(predicate);
+      return this;
+    },
+
+    on(predicate, handler) {
+      state.handlers.common.push({ predicate, handler });
+      return this;
+    },
+
+    onAttribute(predicate, handler) {
+      state.handlers.attributes.push({ predicate, handler });
+      return this;
+    },
+
+    onRelation(handler) {
+      return this.onAttribute(({ attribute }) => attribute?.type === 'relation', handler);
+    },
+
+    onMedia(handler) {
+      return this.onAttribute(({ attribute }) => attribute?.type === 'media', handler);
+    },
+
+    onComponent(handler) {
+      return this.onAttribute(({ attribute }) => attribute?.type === 'component', handler);
+    },
+
+    onDynamicZone(handler) {
+      return this.onAttribute(({ attribute }) => attribute?.type === 'dynamiczone', handler);
+    },
+  };
+};

package/lib/traverse/index.js

@@ -0,0 +1,16 @@
+'use strict';
+
+const factory = require('./factory');
+
+const traverseQueryFilters = require('./query-filters');
+const traverseQuerySort = require('./query-sort');
+const traverseQueryPopulate = require('./query-populate');
+const traverseQueryFields = require('./query-fields');
+
+module.exports = {
+  factory,
+  traverseQueryFilters,
+  traverseQuerySort,
+  traverseQueryPopulate,
+  traverseQueryFields,
+};

package/lib/traverse/query-fields.js

@@ -0,0 +1,39 @@
+'use strict';
+
+const { curry, isArray, isString, eq, trim, constant } = require('lodash/fp');
+
+const traverseFactory = require('./factory');
+
+const isStringArray = (value) => isArray(value) && value.every(isString);
+
+const fields = traverseFactory()
+  // Interecept array of strings
+  .intercept(isStringArray, async (visitor, options, fields, { recurse }) => {
+    return Promise.all(fields.map((field) => recurse(visitor, options, field)));
+  })
+  // Return wildcards as is
+  .intercept(eq('*'), constant('*'))
+  // Parse string values
+  // Since we're parsing strings only, each value should be an attribute name (and it's value, undefined),
+  // thus it shouldn't be possible to set a new value, and get should return the whole data if key === data
+  .parse(isString, () => ({
+    transform: trim,
+
+    remove(key, data) {
+      return data === key ? undefined : data;
+    },
+
+    set(_key, _value, data) {
+      return data;
+    },
+
+    keys(data) {
+      return [data];
+    },
+
+    get(key, data) {
+      return key === data ? data : undefined;
+    },
+  }));
+
+module.exports = curry(fields.traverse);

package/lib/traverse/query-filters.js

@@ -0,0 +1,97 @@
+'use strict';
+
+const { curry, isObject, isEmpty, isArray, isNil, cloneDeep } = require('lodash/fp');
+
+const traverseFactory = require('./factory');
+
+const filters = traverseFactory()
+  .intercept(
+    // Intercept filters arrays and apply the traversal to each one individually
+    isArray,
+    async (visitor, options, filters, { recurse }) => {
+      return Promise.all(
+        filters.map((filter, i) => {
+          // In filters, only operators such as $and, $in, $notIn or $or and implicit operators like [...]
+          // can have a value array, thus we can update the raw path but not the attribute one
+          const newPath = { ...options.path, raw: `${options.path.raw}[${i}]` };
+
+          return recurse(visitor, { ...options, path: newPath }, filter);
+        })
+        // todo: move that to the visitors
+      ).then((res) => res.filter((val) => !(isObject(val) && isEmpty(val))));
+    }
+  )
+  .intercept(
+    // Ignore non object filters and return the value as-is
+    (filters) => !isObject(filters),
+    (_, __, filters) => {
+      return filters;
+    }
+  )
+  // Parse object values
+  .parse(
+    (value) => typeof value === 'object',
+    () => ({
+      transform: cloneDeep,
+
+      remove(key, data) {
+        const { [key]: ignored, ...rest } = data;
+
+        return rest;
+      },
+
+      set(key, value, data) {
+        return { ...data, [key]: value };
+      },
+
+      keys(data) {
+        return Object.keys(data);
+      },
+
+      get(key, data) {
+        return data[key];
+      },
+    })
+  )
+  // Ignore null or undefined values
+  .ignore(({ value }) => isNil(value))
+  // Recursion on operators (non attributes)
+  .on(
+    ({ attribute }) => isNil(attribute),
+    async ({ key, visitor, path, value, schema }, { set, recurse }) => {
+      set(key, await recurse(visitor, { schema, path }, value));
+    }
+  )
+  // Handle relation recursion
+  .onRelation(async ({ key, attribute, visitor, path, value }, { set, recurse }) => {
+    const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+    if (isMorphRelation) {
+      return;
+    }
+
+    const targetSchemaUID = attribute.target;
+    const targetSchema = strapi.getModel(targetSchemaUID);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  })
+  .onComponent(async ({ key, attribute, visitor, path, value }, { set, recurse }) => {
+    const targetSchema = strapi.getModel(attribute.component);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  })
+  // Handle media recursion
+  .onMedia(async ({ key, visitor, path, value }, { set, recurse }) => {
+    const targetSchemaUID = 'plugin::upload.file';
+    const targetSchema = strapi.getModel(targetSchemaUID);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  });
+
+module.exports = curry(filters.traverse);

package/lib/traverse/query-populate.js

@@ -0,0 +1,191 @@
+'use strict';
+
+const {
+  curry,
+  isString,
+  isArray,
+  eq,
+  constant,
+  split,
+  isObject,
+  trim,
+  isNil,
+  cloneDeep,
+  join,
+  first,
+} = require('lodash/fp');
+
+const traverseFactory = require('./factory');
+
+const isKeyword =
+  (keyword) =>
+  ({ key, attribute }) => {
+    return !attribute && keyword === key;
+  };
+const isStringArray = (value) => isArray(value) && value.every(isString);
+
+const populate = traverseFactory()
+  // Array of strings ['foo', 'foo.bar'] => map(recurse), then filter out empty items
+  .intercept(isStringArray, async (visitor, options, populate, { recurse }) => {
+    return Promise.all(populate.map((nestedPopulate) => recurse(visitor, options, nestedPopulate)));
+  })
+  // Return wildcards as is
+  .intercept(eq('*'), constant('*'))
+  // Parse string values
+  .parse(isString, () => {
+    const tokenize = split('.');
+    const recompose = join('.');
+
+    return {
+      transform: trim,
+
+      remove(key, data) {
+        const [root] = tokenize(data);
+
+        return root === key ? undefined : data;
+      },
+
+      set(key, value, data) {
+        const [root] = tokenize(data);
+
+        if (root !== key) {
+          return data;
+        }
+
+        return isNil(value) ? root : `${root}.${value}`;
+      },
+
+      keys(data) {
+        return [first(tokenize(data))];
+      },
+
+      get(key, data) {
+        const [root, ...rest] = tokenize(data);
+
+        return key === root ? recompose(rest) : undefined;
+      },
+    };
+  })
+  // Parse object values
+  .parse(isObject, () => ({
+    transform: cloneDeep,
+
+    remove(key, data) {
+      const { [key]: ignored, ...rest } = data;
+
+      return rest;
+    },
+
+    set(key, value, data) {
+      return { ...data, [key]: value };
+    },
+
+    keys(data) {
+      return Object.keys(data);
+    },
+
+    get(key, data) {
+      return data[key];
+    },
+  }))
+  .ignore(({ key, attribute }) => {
+    return ['sort', 'filters', 'fields'].includes(key) && !attribute;
+  })
+  .on(
+    // Handle recursion on populate."populate"
+    isKeyword('populate'),
+    async ({ key, visitor, path, value, schema }, { set, recurse }) => {
+      const newValue = await recurse(visitor, { schema, path }, value);
+
+      set(key, newValue);
+    }
+  )
+  .on(isKeyword('on'), async ({ key, visitor, path, value }, { set, recurse }) => {
+    const newOn = {};
+
+    for (const [uid, subPopulate] of Object.entries(value)) {
+      const model = strapi.getModel(uid);
+      const newPath = { ...path, raw: `${path.raw}[${uid}]` };
+
+      const newSubPopulate = await recurse(visitor, { schema: model, path: newPath }, subPopulate);
+
+      newOn[uid] = newSubPopulate;
+    }
+
+    set(key, newOn);
+  })
+  // Handle populate on relation
+  .onRelation(async ({ key, value, attribute, visitor, path, schema }, { set, recurse }) => {
+    const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+    if (isMorphRelation) {
+      // Don't traverse values that cannot be parsed
+      if (!isObject(value) || !isObject(value?.on)) {
+        return;
+      }
+
+      // If there is a populate fragment defined, traverse it
+      const newValue = await recurse(visitor, { schema, path }, { on: value.on });
+
+      set(key, { on: newValue });
+    }
+
+    const targetSchemaUID = attribute.target;
+    const targetSchema = strapi.getModel(targetSchemaUID);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  })
+  // Handle populate on media
+  .onMedia(async ({ key, path, visitor, value }, { recurse, set }) => {
+    const targetSchemaUID = 'plugin::upload.file';
+    const targetSchema = strapi.getModel(targetSchemaUID);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  })
+  // Handle populate on components
+  .onComponent(async ({ key, value, visitor, path, attribute }, { recurse, set }) => {
+    const targetSchema = strapi.getModel(attribute.component);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  })
+  // Handle populate on dynamic zones
+  .onDynamicZone(async ({ key, value, attribute, schema, visitor, path }, { set, recurse }) => {
+    if (isObject(value)) {
+      const { components } = attribute;
+      const { on, ...properties } = value;
+
+      const newValue = {};
+
+      // Handle legacy DZ params
+      let newProperties = properties;
+
+      for (const componentUID of components) {
+        const componentSchema = strapi.getModel(componentUID);
+        newProperties = await recurse(visitor, { schema: componentSchema, path }, newProperties);
+      }
+
+      Object.assign(newValue, newProperties);
+
+      // Handle new morph fragment syntax
+      if (on) {
+        const newOn = await recurse(visitor, { schema, path }, { on });
+
+        // Recompose both syntaxes
+        Object.assign(newValue, newOn);
+      }
+
+      set(key, newValue);
+    } else {
+      const newValue = await recurse(visitor, { schema, path }, value);
+
+      set(key, newValue);
+    }
+  });
+
+module.exports = curry(populate.traverse);

package/lib/traverse/query-sort.js

@@ -0,0 +1,171 @@
+'use strict';
+
+const {
+  curry,
+  isString,
+  isObject,
+  map,
+  trim,
+  split,
+  isEmpty,
+  flatten,
+  pipe,
+  isNil,
+  first,
+  cloneDeep,
+} = require('lodash/fp');
+
+const traverseFactory = require('./factory');
+
+const ORDERS = { asc: 'asc', desc: 'desc' };
+const ORDER_VALUES = Object.values(ORDERS);
+
+const isSortOrder = (value) => ORDER_VALUES.includes(value.toLowerCase());
+const isStringArray = (value) => Array.isArray(value) && value.every(isString);
+const isObjectArray = (value) => Array.isArray(value) && value.every(isObject);
+const isNestedSorts = (value) => isString(value) && value.split(',').length > 1;
+
+const sort = traverseFactory()
+  .intercept(
+    // String with chained sorts (foo,bar,foobar) => split, map(recurse), then recompose
+    isNestedSorts,
+    async (visitor, options, sort, { recurse }) => {
+      return Promise.all(
+        sort
+          .split(',')
+          .map(trim)
+          .map((nestedSort) => recurse(visitor, options, nestedSort))
+      ).then((res) => res.filter((part) => !isEmpty(part)).join(','));
+    }
+  )
+  .intercept(
+    // Array of strings ['foo', 'foo,bar'] => map(recurse), then filter out empty items
+    isStringArray,
+    async (visitor, options, sort, { recurse }) => {
+      return Promise.all(sort.map((nestedSort) => recurse(visitor, options, nestedSort))).then(
+        (res) => res.filter((nestedSort) => !isEmpty(nestedSort))
+      );
+    }
+  )
+  .intercept(
+    // Array of objects [{ foo: 'asc' }, { bar: 'desc', baz: 'asc' }] => map(recurse), then filter out empty items
+    isObjectArray,
+    async (visitor, options, sort, { recurse }) => {
+      return Promise.all(sort.map((nestedSort) => recurse(visitor, options, nestedSort))).then(
+        (res) => res.filter((nestedSort) => !isEmpty(nestedSort))
+      );
+    }
+  )
+  // Parse string values
+  .parse(
+    (sort) => typeof sort === 'string',
+    () => {
+      const tokenize = pipe(split('.'), map(split(':')), flatten);
+      const recompose = (parts) => {
+        if (parts.length === 0) {
+          return undefined;
+        }
+
+        return parts.reduce((acc, part) => {
+          if (isEmpty(part)) {
+            return acc;
+          }
+
+          if (acc === '') {
+            return part;
+          }
+
+          return isSortOrder(part) ? `${acc}:${part}` : `${acc}.${part}`;
+        }, '');
+      };
+
+      return {
+        transform: trim,
+
+        remove(key, data) {
+          const [root] = tokenize(data);
+
+          return root === key ? undefined : data;
+        },
+
+        set(key, value, data) {
+          const [root] = tokenize(data);
+
+          if (root !== key) {
+            return data;
+          }
+
+          return isNil(value) ? root : `${root}.${value}`;
+        },
+
+        keys(data) {
+          return [first(tokenize(data))];
+        },
+
+        get(key, data) {
+          const [root, ...rest] = tokenize(data);
+
+          return key === root ? recompose(rest) : undefined;
+        },
+      };
+    }
+  )
+  // Parse object values
+  .parse(
+    (value) => typeof value === 'object',
+    () => ({
+      transform: cloneDeep,
+
+      remove(key, data) {
+        const { [key]: ignored, ...rest } = data;
+
+        return rest;
+      },
+
+      set(key, value, data) {
+        return { ...data, [key]: value };
+      },
+
+      keys(data) {
+        return Object.keys(data);
+      },
+
+      get(key, data) {
+        return data[key];
+      },
+    })
+  )
+  // Handle deep sort on relation
+  .onRelation(async ({ key, value, attribute, visitor, path }, { set, recurse }) => {
+    const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+    if (isMorphRelation) {
+      return;
+    }
+
+    const targetSchemaUID = attribute.target;
+    const targetSchema = strapi.getModel(targetSchemaUID);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  })
+  // Handle deep sort on media
+  .onMedia(async ({ key, path, visitor, value }, { recurse, set }) => {
+    const targetSchemaUID = 'plugin::upload.file';
+    const targetSchema = strapi.getModel(targetSchemaUID);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  })
+  // Handle deep sort on components
+  .onComponent(async ({ key, value, visitor, path, attribute }, { recurse, set }) => {
+    const targetSchema = strapi.getModel(attribute.component);
+
+    const newValue = await recurse(visitor, { schema: targetSchema, path }, value);
+
+    set(key, newValue);
+  });
+
+module.exports = curry(sort.traverse);

package/lib/traverse-entity.js

@@ -3,7 +3,7 @@
 const { cloneDeep, isObject, isArray, isNil, curry } = require('lodash/fp');
 
 const traverseEntity = async (visitor, options, entity) => {
-  const { path = null, schema } = options;
+  const { path = { raw: null, attribute: null }, schema } = options;
 
   // End recursion
   if (!isObject(entity) || isNil(schema)) {
@@ -22,7 +22,13 @@ const traverseEntity = async (visitor, options, entity) => {
       continue;
     }
 
-    const newPath = path ? `${path}.${key}` : key;
+    const newPath = { ...path };
+
+    newPath.raw = isNil(path.raw) ? key : `${path.raw}.${key}`;
+
+    if (!isNil(attribute)) {
+      newPath.attribute = isNil(path.attribute) ? key : `${path.attribute}.${key}`;
+    }
 
     // Visit the current attribute
     const visitorOptions = { data: copy, schema, key, value: copy[key], attribute, path: newPath };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/utils",
-  "version": "4.9.0-alpha.0",
+  "version": "4.9.0-beta.1",
   "description": "Shared utilities for the Strapi packages",
   "keywords": [
     "strapi",
@@ -46,5 +46,5 @@
     "node": ">=14.19.1 <=18.x.x",
     "npm": ">=6.0.0"
   },
-  "gitHead": "35f783d0dc07db101e7e62cb4d682f751551f452"
+  "gitHead": "ff37d666d0634fc84827e3d6419d916618275572"
 }