entityService returns private fields when using populate: '*'

System Information
  • Strapi Version: 4.11.1
  • Database: postgres
  • Node Version: v18.16.0

I have a controller with a custom findMany response:

let entries = await strapi.entityService.findMany('api::community.community', {
populate: '*',

I’ve set a relation field to private but it’s still being returned in the api reponse.

This seems like a security vulnerability. Any way to stop private relation fields from being returned when populate: ‘*’ is set?


1 Like

Okay thanks for pointing that out! For anyone else looking, you have to sanitize your output to remove the private fields when using strapi.entityService to retrieve entries.

async find(ctx) {
const sanitizedResults = await this.sanitizeOutput(entries, ctx);
const transformed = this.transformResponse(sanitizedResults);
return transformed;

Bascily every time you don’t use a core controller You need to senatize input and output not doing so.

not doing so means that your private fields are filterable if you don’t senatize the input or in the output if you don’t senatize the output

what means that if there is a connection to your admin user somewhere you can be hacked