feat(microsoft-excel): add SharePoint drive support for Excel integration#4162
feat(microsoft-excel): add SharePoint drive support for Excel integration#4162waleedlatif1 wants to merge 14 commits intostagingfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Adds a new Hardens the new path-based inputs by validating Reviewed by Cursor Bugbot for commit 8148260. Configure here. |
Greptile SummaryThis PR adds SharePoint drive support to all four Microsoft Excel tools by introducing an optional
Confidence Score: 4/5Safe to merge after fixing the stale driveId in advanced mode — all security concerns from prior review rounds are addressed. One P1 remains: manualDriveId is missing dependsOn: ['fileSource'], so advanced-mode users who switch from SharePoint back to OneDrive will have a stale drive ID forwarded to the tool, causing Graph API errors. The fix is a single-line addition. All previously raised security/path-traversal issues are resolved. apps/sim/blocks/blocks/microsoft_excel.ts — the manualDriveId subblock configuration Important Files Changed
Sequence DiagramsequenceDiagram
participant UI as Block UI
participant FilesAPI as /api/auth/oauth/microsoft/files
participant DrivesAPI as /api/tools/microsoft_excel/drives
participant SheetsAPI as /api/tools/microsoft_excel/sheets
participant Graph as Microsoft Graph API
UI->>FilesAPI: GET ?credentialId&driveId (optional)
FilesAPI->>Graph: GET /drives/{driveId}/root/search OR /me/drive/root/search
Graph-->>FilesAPI: file list
FilesAPI-->>UI: { files }
UI->>DrivesAPI: POST { credential, siteId }
DrivesAPI->>Graph: GET /sites/{siteId}/drives
Graph-->>DrivesAPI: drive list
DrivesAPI-->>UI: { drives }
UI->>DrivesAPI: POST { credential, siteId, driveId } (fetchById)
DrivesAPI->>Graph: GET /sites/{siteId}/drives/{driveId}
Graph-->>DrivesAPI: single drive
DrivesAPI-->>UI: { drive }
UI->>SheetsAPI: GET ?credentialId&spreadsheetId&driveId (optional)
SheetsAPI->>Graph: GET /drives/{driveId}/items/{id}/workbook/worksheets OR /me/drive/items/{id}/workbook/worksheets
Graph-->>SheetsAPI: worksheet list
SheetsAPI-->>UI: { sheets }
Reviews (9): Last reviewed commit: "fix(microsoft-excel): reorder driveId be..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Validate siteId/driveId format in drives route to prevent path traversal - Use direct single-drive endpoint for fetchById instead of filtering full list - Fix dependsOn on sheet/spreadsheet selectors so driveId flows into context - Fix NextRequest type in drives route for build compatibility
|
@greptile |
|
@cusror review |
Add regex validation for driveId query param in the Microsoft OAuth files route to prevent path traversal, matching the drives route.
|
@greptile |
|
@cursor review |
…sheets route - Add credential to any[] arrays so OneDrive users (no drive selected) still pass the dependsOn gate while driveSelector remains in the dependency list for context flow to SharePoint users - Add /^[\w-]+$/ validation for driveId in sheets API route
|
@greptile |
|
@cursor review |
Add regex validation for driveId at the shared utility level to prevent path traversal through the tool execution path, which bypasses the API route validators.
|
@greptile |
|
@cursor review |
Replace inline regex validation with platform validators from @/lib/core/security/input-validation: - validateSharePointSiteId for siteId in drives route - validateAlphanumericId for driveId in drives, sheets, files routes and getItemBasePath utility
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit f18af3c. Configure here.
…rePoint visibility Replace always-visible optional SharePoint fields with a File Source dropdown (OneDrive/SharePoint) that conditionally shows site and drive selectors. OneDrive users see zero extra fields (default). SharePoint users switch the dropdown and get the full cascade.
Make fileSource dropdown mode:'both' so it appears in basic and advanced modes. Add condition to manualDriveId to match driveSelector's condition, satisfying the canonical pair consistency test.
|
@greptile |
|
@cursor review |
… support - Clear stale driveId/siteId/spreadsheetId when fileSource changes by adding fileSource to dependsOn arrays for siteSelector, driveSelector, and spreadsheetId selectors - Reorder manualDriveId before manualSpreadsheetId in advanced mode for logical top-down flow - Validate spreadsheetId with validateMicrosoftGraphId in getItemBasePath() and sheets route to close injection vector (uses permissive validator that accepts ! chars in OneDrive item IDs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@greptile |
|
@cursor review |
…tion SharePoint drive IDs use the format b!<base64-string> which contains ! characters rejected by validateAlphanumericId. Switch all driveId validation to validateMicrosoftGraphId which blocks path traversal and control characters while accepting valid Microsoft Graph identifiers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@greptile |
|
@cursor review |
… driveId/spreadsheetId Replace validateMicrosoftGraphId with validatePathSegment using a custom pattern ^[a-zA-Z0-9!_-]+$ for all URL-interpolated IDs. validatePathSegment blocks /, \, path traversal, and null bytes before checking the pattern, preventing URL-modifying characters like ?, #, & from altering the Graph API endpoint. The pattern allows ! for SharePoint b!<base64> drive IDs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@greptile |
|
@cursor review |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 8148260. Configure here.
Move driveId subBlock before manualSpreadsheetId in the legacy v1 block to match the logical top-down flow (Drive ID → Spreadsheet ID), consistent with the v2 block ordering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
| // Drive ID for SharePoint (advanced mode, only when SharePoint is selected) | ||
| { | ||
| id: 'manualDriveId', | ||
| title: 'Drive ID', | ||
| type: 'short-input', | ||
| canonicalParamId: 'driveId', | ||
| placeholder: 'Enter the SharePoint drive ID', | ||
| condition: { field: 'fileSource', value: 'sharepoint' }, | ||
| mode: 'advanced', | ||
| }, |
There was a problem hiding this comment.
driveId not cleared when switching back to OneDrive
condition only controls visibility — it never clears the stored value. dependsOn is what tells the subblock system to clear a value when a dependency changes. Without dependsOn: ['fileSource'] here, a user who:
- Sets
fileSource = 'sharepoint'in advanced mode and enters amanualDriveId - Then switches
fileSourceback to'onedrive'
…will have the hidden-but-still-serialized driveId canonical value forwarded to the tool, causing getItemBasePath to route through the SharePoint drive path instead of me/drive, producing a Graph API 404 or permission error for any OneDrive spreadsheet.
| // Drive ID for SharePoint (advanced mode, only when SharePoint is selected) | |
| { | |
| id: 'manualDriveId', | |
| title: 'Drive ID', | |
| type: 'short-input', | |
| canonicalParamId: 'driveId', | |
| placeholder: 'Enter the SharePoint drive ID', | |
| condition: { field: 'fileSource', value: 'sharepoint' }, | |
| mode: 'advanced', | |
| }, | |
| { | |
| id: 'manualDriveId', | |
| title: 'Drive ID', | |
| type: 'short-input', | |
| canonicalParamId: 'driveId', | |
| placeholder: 'Enter the SharePoint drive ID', | |
| condition: { field: 'fileSource', value: 'sharepoint' }, | |
| dependsOn: ['fileSource'], | |
| mode: 'advanced', | |
| }, |
1 participant
Summary
driveIdparameter to all Microsoft Excel tools for SharePoint file access/api/tools/microsoft_excel/drivesroute to list SharePoint document librariesType of Change
Testing
Tested manually
Checklist