Description/Steps to reproduce

1. Scaffold loopback app with two models. I used the "notes" template and added a Book model
2. Add relation Book hasMany Note
3. Create a Book instance
4. Create a related Note instance using POST api/Books/:id/notes
5. Update the related Note using PUT api/Books/:id/notes/:noteid and send in the body extra fields that do not belong to the Note model
6. Query the Note instance with GET api/Books/:id/notes/:noteid. Observe the extra fields being persisted in the Note instance

Link to reproduction sandbox

https://github.com/Overdrivr/lb-sanitize-issue

npm install
npm test

Expected result

This is the failing test in question

[...]
  it('updates a related Note instance, with more fields than expected', function(cb) {
      request(server)
        .put('/api/Books/' + BOOK.id + '/notes/' + NOTE.id)
        .send({
          content: 'content-2',
          someOtherFieldThatShouldBeDiscarded: 'this-should-not-end-up-in-notes-model'
        })
        .expect(200, cb);
  });

it('Note instance should not contain more fields than expected', function(cb) {
      request(server)
        .get('/api/Books/' + BOOK.id + '/notes/' + NOTE.id)
        .expect(200, function(err, res) {
          if (err) return cb(err);
          expect(res.body).to.not.contain.property('someOtherFieldThatShouldBeDiscarded');
          cb();
        });
  });

Result

> mocha test



  Book API
    √ creates a related Note instance (62ms)
    √ updates a related Note instance, with more fields than expected
    1) Note instance should not contain more fields than expected


  2 passing (93ms)
  1 failing

  1) Book API
       Note instance should not contain more fields than expected:
     Uncaught AssertionError: expected { Object (title, content, ...) } to not have property 'someOtherFieldThatShouldBeDiscarded'
      at Test.<anonymous> (test\test_sanitize.js:50:43)
      at Test.assert (node_modules\supertest\lib\test.js:179:6)
      at Server.assert (node_modules\supertest\lib\test.js:131:12)
      at emitCloseNT (net.js:1552:8)
      at _combinedTickCallback (internal/process/next_tick.js:77:11)
      at process._tickCallback (internal/process/next_tick.js:104:9)

npm ERR! Test failed.  See above for more details.

Additional information

I can reproduce this issue with both Loopback 2.x and 3.x.

win32 x64 6.11.0

+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
`-- [email protected]

To debug this issue further, I logged the Note persisted data using after save operation hook. This is very strange, because according to the after save hook, the extra field is not persisted in database. But the final test clearly shows that it is stored somewhere.

module.exports = function(Note) {
  Note.observe('after save', function(ctx, next) {
    console.log('after save %o', ctx.instance);
    next();
  });
};

Test output using after save

> mocha test

  Book API
after save %o { title: 'title-1', content: 'content-1', bookId: 1, id: 1 }
    √ creates a related Note instance (62ms)
after save %o { title: 'title-1', content: 'content-2', bookId: 1, id: 1 } <---- No extra field here
    √ updates a related Note instance, with more fields than expected
    1) Note instance should not contain more fields than expected

  2 passing (109ms)
  1 failing

  1) Book API
       Note instance should not contain more fields than expected:
     Uncaught AssertionError: expected { Object (title, content, ...) } to not have property 'someOtherFieldThatShouldBeDiscarded'
      at Test.<anonymous> (test\test_sanitize.js:50:43)
      at Test.assert (node_modules\supertest\lib\test.js:179:6)

Any ideas ? Any workaround ? This is pretty annoying because I have a webhook that receives secret information and it will end up being displayed to the client if I cannot fix this.