feat(microsoft-excel): add SharePoint drive support for Excel integration#4162
feat(microsoft-excel): add SharePoint drive support for Excel integration#4162waleedlatif1 wants to merge 12 commits intostagingfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Introduces a new Refactors Excel tool URL generation to use a shared Reviewed by Cursor Bugbot for commit 3be18ca. Configure here. |
Greptile SummaryThis PR adds optional SharePoint drive support to all Microsoft Excel tools by introducing a Confidence Score: 5/5Safe to merge — all prior P0/P1 concerns (path traversal, OneDrive lock-out, bulk fetchById) are resolved; one P2 edge case remains in advanced mode. All previously-flagged security and regression issues are addressed. The single remaining finding is a P2: apps/sim/blocks/blocks/microsoft_excel.ts — the Important Files Changed
Sequence DiagramsequenceDiagram
participant UI as V2 Block (basic)
participant SR as Selector Registry
participant SP as /api/auth/oauth/microsoft/files
participant DR as /api/tools/microsoft_excel/drives
participant SH as /api/tools/microsoft_excel/sheets
participant GR as Microsoft Graph API
UI->>SR: fileSource=sharepoint → siteSelector
SR->>GR: GET /sites?search=...
GR-->>SR: site list
SR-->>UI: sites
UI->>SR: siteId set → driveSelector
SR->>DR: POST {siteId}
DR->>GR: GET /sites/{siteId}/drives
GR-->>DR: drive list
DR-->>SR: drives
SR-->>UI: document libraries
UI->>SR: driveId set → spreadsheetId selector
SR->>SP: GET ?driveId=...
SP->>GR: GET /drives/{driveId}/root/search(...)
GR-->>SP: files
SP-->>SR: Excel files
SR-->>UI: spreadsheets
UI->>SR: spreadsheetId set → sheetName selector
SR->>SH: GET ?spreadsheetId=...&driveId=...
SH->>GR: GET /drives/{driveId}/items/{spreadsheetId}/workbook/worksheets
GR-->>SH: worksheets
SH-->>SR: sheets
SR-->>UI: sheet names
Reviews (8): Last reviewed commit: "fix(microsoft-excel): use validateMicros..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Validate siteId/driveId format in drives route to prevent path traversal - Use direct single-drive endpoint for fetchById instead of filtering full list - Fix dependsOn on sheet/spreadsheet selectors so driveId flows into context - Fix NextRequest type in drives route for build compatibility
|
@greptile |
|
@cusror review |
Add regex validation for driveId query param in the Microsoft OAuth files route to prevent path traversal, matching the drives route.
|
@greptile |
|
@cursor review |
…sheets route - Add credential to any[] arrays so OneDrive users (no drive selected) still pass the dependsOn gate while driveSelector remains in the dependency list for context flow to SharePoint users - Add /^[\w-]+$/ validation for driveId in sheets API route
|
@greptile |
|
@cursor review |
Add regex validation for driveId at the shared utility level to prevent path traversal through the tool execution path, which bypasses the API route validators.
|
@greptile |
|
@cursor review |
Replace inline regex validation with platform validators from @/lib/core/security/input-validation: - validateSharePointSiteId for siteId in drives route - validateAlphanumericId for driveId in drives, sheets, files routes and getItemBasePath utility
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit f18af3c. Configure here.
…rePoint visibility Replace always-visible optional SharePoint fields with a File Source dropdown (OneDrive/SharePoint) that conditionally shows site and drive selectors. OneDrive users see zero extra fields (default). SharePoint users switch the dropdown and get the full cascade.
Make fileSource dropdown mode:'both' so it appears in basic and advanced modes. Add condition to manualDriveId to match driveSelector's condition, satisfying the canonical pair consistency test.
|
@greptile |
|
@cursor review |
… support - Clear stale driveId/siteId/spreadsheetId when fileSource changes by adding fileSource to dependsOn arrays for siteSelector, driveSelector, and spreadsheetId selectors - Reorder manualDriveId before manualSpreadsheetId in advanced mode for logical top-down flow - Validate spreadsheetId with validateMicrosoftGraphId in getItemBasePath() and sheets route to close injection vector (uses permissive validator that accepts ! chars in OneDrive item IDs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@greptile |
|
@cursor review |
…tion SharePoint drive IDs use the format b!<base64-string> which contains ! characters rejected by validateAlphanumericId. Switch all driveId validation to validateMicrosoftGraphId which blocks path traversal and control characters while accepting valid Microsoft Graph identifiers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@greptile |
|
@cursor review |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3be18ca. Configure here.
… driveId/spreadsheetId Replace validateMicrosoftGraphId with validatePathSegment using a custom pattern ^[a-zA-Z0-9!_-]+$ for all URL-interpolated IDs. validatePathSegment blocks /, \, path traversal, and null bytes before checking the pattern, preventing URL-modifying characters like ?, #, & from altering the Graph API endpoint. The pattern allows ! for SharePoint b!<base64> drive IDs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 participant
Summary
driveIdparameter to all Microsoft Excel tools for SharePoint file access/api/tools/microsoft_excel/drivesroute to list SharePoint document librariesType of Change
Testing
Tested manually
Checklist