feat(microsoft-excel): add SharePoint drive support for Excel integration#4162
feat(microsoft-excel): add SharePoint drive support for Excel integration#4162waleedlatif1 merged 17 commits intostagingfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Adds a new Updates both legacy and v2 Excel blocks/UI to support a OneDrive vs SharePoint flow (site → drive → spreadsheet → sheet in basic mode, manual Reviewed by Cursor Bugbot for commit def6e90. Configure here. |
Greptile SummaryAdds optional SharePoint drive support to all Microsoft Excel tools by introducing a Confidence Score: 5/5Safe to merge — all previously flagged P0/P1 security and regression issues are resolved; only minor style/docs P2 items remain. Prior rounds addressed path traversal (siteId/driveId/spreadsheetId validation), the stale driveId after source switch (dependsOn: fileSource), the OneDrive dependsOn regression (credential added to any-gates), and the fetchById bulk-fetch inefficiency. Remaining findings are a misplaced TSDoc block and missing docs entries for table_add/worksheet_add — neither blocks merge. apps/docs/content/docs/en/tools/microsoft_excel.mdx (missing driveId docs for table_add / worksheet_add tools) Important Files Changed
Sequence DiagramsequenceDiagram
participant UI as Block UI
participant Sites as sharepoint.sites selector
participant Drives as microsoft.excel.drives selector
participant Files as microsoft.excel selector
participant Sheets as microsoft.excel.sheets selector
participant DrivesAPI as /api/tools/microsoft_excel/drives
participant FilesAPI as /api/auth/oauth/microsoft/files
participant SheetsAPI as /api/tools/microsoft_excel/sheets
participant Graph as Microsoft Graph API
UI->>Sites: Select SharePoint site (→ siteId context)
Sites->>Graph: GET /sites?search=...
Graph-->>Sites: site list
UI->>Drives: Select document library (→ driveId context)
Drives->>DrivesAPI: POST {credential, siteId}
DrivesAPI->>Graph: GET /sites/{siteId}/drives
Graph-->>DrivesAPI: drives list
DrivesAPI-->>Drives: [{id, name}]
UI->>Files: Select spreadsheet (→ spreadsheetId context)
Files->>FilesAPI: GET ?credentialId&driveId&query
FilesAPI->>Graph: GET /drives/{driveId}/root/search(q='...')
Graph-->>FilesAPI: file list
FilesAPI-->>Files: [{id, name}]
UI->>Sheets: Select sheet (→ sheetName)
Sheets->>SheetsAPI: GET ?credentialId&spreadsheetId&driveId
SheetsAPI->>Graph: GET /drives/{driveId}/items/{spreadsheetId}/workbook/worksheets
Graph-->>SheetsAPI: worksheet list
SheetsAPI-->>Sheets: [{id, name}]
Reviews (11): Last reviewed commit: "lint" | Re-trigger Greptile |
- Validate siteId/driveId format in drives route to prevent path traversal - Use direct single-drive endpoint for fetchById instead of filtering full list - Fix dependsOn on sheet/spreadsheet selectors so driveId flows into context - Fix NextRequest type in drives route for build compatibility
|
@greptile |
|
@cusror review |
Add regex validation for driveId query param in the Microsoft OAuth files route to prevent path traversal, matching the drives route.
|
@greptile |
|
@cursor review |
…sheets route - Add credential to any[] arrays so OneDrive users (no drive selected) still pass the dependsOn gate while driveSelector remains in the dependency list for context flow to SharePoint users - Add /^[\w-]+$/ validation for driveId in sheets API route
|
@greptile |
|
@cursor review |
Add regex validation for driveId at the shared utility level to prevent path traversal through the tool execution path, which bypasses the API route validators.
|
@greptile |
|
@cursor review |
Replace inline regex validation with platform validators from @/lib/core/security/input-validation: - validateSharePointSiteId for siteId in drives route - validateAlphanumericId for driveId in drives, sheets, files routes and getItemBasePath utility
|
@greptile |
|
@cursor review |
… driveId/spreadsheetId Replace validateMicrosoftGraphId with validatePathSegment using a custom pattern ^[a-zA-Z0-9!_-]+$ for all URL-interpolated IDs. validatePathSegment blocks /, \, path traversal, and null bytes before checking the pattern, preventing URL-modifying characters like ?, #, & from altering the Graph API endpoint. The pattern allows ! for SharePoint b!<base64> drive IDs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@greptile |
|
@cursor review |
Move driveId subBlock before manualSpreadsheetId in the legacy v1 block to match the logical top-down flow (Drive ID → Spreadsheet ID), consistent with the v2 block ordering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add dependsOn: ['fileSource'] to manualDriveId so its value is cleared when switching from SharePoint back to OneDrive. Without this, the stale driveId would still be serialized and forwarded to getItemBasePath, routing through the SharePoint drive path instead of me/drive. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@greptile |
|
@cursor review |
…ove duplication Replace inline URL construction and validation logic with the shared getItemBasePath utility, eliminating duplicated GRAPH_ID_PATTERN regex and conditional URL building. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@cursor review |
|
@greptile |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit def6e90. Configure here.
Summary
driveIdparameter to all Microsoft Excel tools for SharePoint file access/api/tools/microsoft_excel/drivesroute to list SharePoint document librariesType of Change
Testing
Tested manually
Checklist