Currently, tsoa handles input validation (including noImplicitAdditionalProperties) but does not validate or sanitize output data against the controller's return type.
This creates a risk of accidental data leakage. For example, returning an object that contains extra fields (e.g., a database entity with passwordHash, internalFlags, or sensitive nested relations) results in those fields being serialized and sent to the client, even if they are not defined in the return interface.
I propose a configuration option in tsoa.json like stripExcessReturnProperties: true (defaulting to false). Since tsoa already generates metadata for models to validate inputs, could this same logic be used to recursively sanitize the output in the generated promise handler?
Currently, tsoa handles input validation (including
noImplicitAdditionalProperties) but does not validate or sanitize output data against the controller's return type.This creates a risk of accidental data leakage. For example, returning an object that contains extra fields (e.g., a database entity with passwordHash, internalFlags, or sensitive nested relations) results in those fields being serialized and sent to the client, even if they are not defined in the return interface.
I propose a configuration option in tsoa.json like
stripExcessReturnProperties: true(defaulting tofalse). Since tsoa already generates metadata for models to validate inputs, could this same logic be used to recursively sanitize the output in the generated promise handler?