fix(microsoft-excel): address PR review feedback for SharePoint drive…

… support - Clear stale driveId/siteId/spreadsheetId when fileSource changes by adding fileSource to dependsOn arrays for siteSelector, driveSelector, and spreadsheetId selectors - Reorder manualDriveId before manualSpreadsheetId in advanced mode for logical top-down flow - Validate spreadsheetId with validateMicrosoftGraphId in getItemBasePath() and sheets route to close injection vector (uses permissive validator that accepts ! chars in OneDrive item IDs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
simstudioai · waleedlatif1 · Apr 15, 2026 · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026
commit 326114d1ea9931853319853933dffbbee58bd37b
diff --git a/apps/sim/app/api/tools/microsoft_excel/sheets/route.ts b/apps/sim/app/api/tools/microsoft_excel/sheets/route.ts
@@ -1,7 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { validateAlphanumericId } from '@/lib/core/security/input-validation'
+import {
+  validateAlphanumericId,
+  validateMicrosoftGraphId,
+} from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -63,6 +66,11 @@ export async function GET(request: NextRequest) {
       `[${requestId}] Fetching worksheets from Microsoft Graph API for workbook ${spreadsheetId}`
     )
 
+    const spreadsheetValidation = validateMicrosoftGraphId(spreadsheetId, 'spreadsheetId')
+    if (!spreadsheetValidation.isValid) {
+      return NextResponse.json({ error: spreadsheetValidation.error }, { status: 400 })
+    }
+
     if (driveId) {
       const driveIdValidation = validateAlphanumericId(driveId, 'driveId')
       if (!driveIdValidation.isValid) {

diff --git a/apps/sim/blocks/blocks/microsoft_excel.ts b/apps/sim/blocks/blocks/microsoft_excel.ts
@@ -415,7 +415,7 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       selectorKey: 'sharepoint.sites',
       requiredScopes: [],
       placeholder: 'Select a SharePoint site',
-      dependsOn: ['credential'],
+      dependsOn: ['credential', 'fileSource'],
       condition: { field: 'fileSource', value: 'sharepoint' },
       required: { field: 'fileSource', value: 'sharepoint' },
       mode: 'basic',
@@ -430,7 +430,7 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       selectorKey: 'microsoft.excel.drives',
       selectorAllowSearch: false,
       placeholder: 'Select a document library',
-      dependsOn: ['credential', 'siteSelector'],
+      dependsOn: ['credential', 'siteSelector', 'fileSource'],
       condition: { field: 'fileSource', value: 'sharepoint' },
       required: { field: 'fileSource', value: 'sharepoint' },
       mode: 'basic',
@@ -446,19 +446,9 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       requiredScopes: [],
       mimeType: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
       placeholder: 'Select a spreadsheet',
-      dependsOn: { all: ['credential'], any: ['credential', 'driveSelector'] },
+      dependsOn: { all: ['credential', 'fileSource'], any: ['credential', 'driveSelector'] },
       mode: 'basic',
     },
-    // Manual Spreadsheet ID (advanced mode)
-    {
-      id: 'manualSpreadsheetId',
-      title: 'Spreadsheet ID',
-      type: 'short-input',
-      canonicalParamId: 'spreadsheetId',
-      placeholder: 'Enter spreadsheet ID',
-      dependsOn: { all: ['credential'], any: ['credential', 'manualDriveId'] },
-      mode: 'advanced',
-    },
     // Drive ID for SharePoint (advanced mode, only when SharePoint is selected)
     {
       id: 'manualDriveId',
@@ -469,6 +459,16 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       condition: { field: 'fileSource', value: 'sharepoint' },
       mode: 'advanced',
     },
+    // Manual Spreadsheet ID (advanced mode)
+    {
+      id: 'manualSpreadsheetId',
+      title: 'Spreadsheet ID',
+      type: 'short-input',
+      canonicalParamId: 'spreadsheetId',
+      placeholder: 'Enter spreadsheet ID',
+      dependsOn: { all: ['credential'], any: ['credential', 'manualDriveId'] },
+      mode: 'advanced',
+    },
     // Sheet Name Selector (basic mode)
     {
       id: 'sheetName',

diff --git a/apps/sim/tools/microsoft_excel/utils.ts b/apps/sim/tools/microsoft_excel/utils.ts
@@ -1,5 +1,8 @@
 import { createLogger } from '@sim/logger'
-import { validateAlphanumericId } from '@/lib/core/security/input-validation'
+import {
+  validateAlphanumericId,
+  validateMicrosoftGraphId,
+} from '@/lib/core/security/input-validation'
 import type { ExcelCellValue } from '@/tools/microsoft_excel/types'
 
 const logger = createLogger('MicrosoftExcelUtils')
@@ -10,10 +13,15 @@ const logger = createLogger('MicrosoftExcelUtils')
  * When driveId is omitted, uses /me/drive/items/{itemId} (personal OneDrive).
  */
 export function getItemBasePath(spreadsheetId: string, driveId?: string): string {
+  const spreadsheetValidation = validateMicrosoftGraphId(spreadsheetId, 'spreadsheetId')
+  if (!spreadsheetValidation.isValid) {
+    throw new Error(spreadsheetValidation.error)
+  }
+
   if (driveId) {
-    const validation = validateAlphanumericId(driveId, 'driveId')
-    if (!validation.isValid) {
-      throw new Error(validation.error)
+    const driveValidation = validateAlphanumericId(driveId, 'driveId')
+    if (!driveValidation.isValid) {
+      throw new Error(driveValidation.error)
     }
     return `https://graph.microsoft.com/v1.0/drives/${driveId}/items/${spreadsheetId}`
   }