mirror of
https://github.com/simstudioai/sim.git
synced 2026-04-28 03:00:29 -04:00
80095788fc
* feat(microsoft-excel): add SharePoint drive support for Excel integration * fix(microsoft-excel): address PR review comments - Validate siteId/driveId format in drives route to prevent path traversal - Use direct single-drive endpoint for fetchById instead of filtering full list - Fix dependsOn on sheet/spreadsheet selectors so driveId flows into context - Fix NextRequest type in drives route for build compatibility * fix(microsoft-excel): validate driveId in files route Add regex validation for driveId query param in the Microsoft OAuth files route to prevent path traversal, matching the drives route. * fix(microsoft-excel): unblock OneDrive users and validate driveId in sheets route - Add credential to any[] arrays so OneDrive users (no drive selected) still pass the dependsOn gate while driveSelector remains in the dependency list for context flow to SharePoint users - Add /^[\w-]+$/ validation for driveId in sheets API route * fix(microsoft-excel): validate driveId in getItemBasePath utility Add regex validation for driveId at the shared utility level to prevent path traversal through the tool execution path, which bypasses the API route validators. * fix(microsoft-excel): use centralized input validation Replace inline regex validation with platform validators from @/lib/core/security/input-validation: - validateSharePointSiteId for siteId in drives route - validateAlphanumericId for driveId in drives, sheets, files routes and getItemBasePath utility * lint * improvement(microsoft-excel): add File Source dropdown to control SharePoint visibility Replace always-visible optional SharePoint fields with a File Source dropdown (OneDrive/SharePoint) that conditionally shows site and drive selectors. OneDrive users see zero extra fields (default). SharePoint users switch the dropdown and get the full cascade. * fix(microsoft-excel): fix canonical param test failures Make fileSource dropdown mode:'both' so it appears in basic and advanced modes. Add condition to manualDriveId to match driveSelector's condition, satisfying the canonical pair consistency test. * fix(microsoft-excel): address PR review feedback for SharePoint drive support - Clear stale driveId/siteId/spreadsheetId when fileSource changes by adding fileSource to dependsOn arrays for siteSelector, driveSelector, and spreadsheetId selectors - Reorder manualDriveId before manualSpreadsheetId in advanced mode for logical top-down flow - Validate spreadsheetId with validateMicrosoftGraphId in getItemBasePath() and sheets route to close injection vector (uses permissive validator that accepts ! chars in OneDrive item IDs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(microsoft-excel): use validateMicrosoftGraphId for driveId validation SharePoint drive IDs use the format b!<base64-string> which contains ! characters rejected by validateAlphanumericId. Switch all driveId validation to validateMicrosoftGraphId which blocks path traversal and control characters while accepting valid Microsoft Graph identifiers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(microsoft-excel): use validatePathSegment with strict pattern for driveId/spreadsheetId Replace validateMicrosoftGraphId with validatePathSegment using a custom pattern ^[a-zA-Z0-9!_-]+$ for all URL-interpolated IDs. validatePathSegment blocks /, \, path traversal, and null bytes before checking the pattern, preventing URL-modifying characters like ?, #, & from altering the Graph API endpoint. The pattern allows ! for SharePoint b!<base64> drive IDs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint * fix(microsoft-excel): reorder driveId before spreadsheetId in v1 block Move driveId subBlock before manualSpreadsheetId in the legacy v1 block to match the logical top-down flow (Drive ID → Spreadsheet ID), consistent with the v2 block ordering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(microsoft-excel): clear manualDriveId when fileSource changes Add dependsOn: ['fileSource'] to manualDriveId so its value is cleared when switching from SharePoint back to OneDrive. Without this, the stale driveId would still be serialized and forwarded to getItemBasePath, routing through the SharePoint drive path instead of me/drive. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(microsoft-excel): use getItemBasePath in sheets route to remove duplication Replace inline URL construction and validation logic with the shared getItemBasePath utility, eliminating duplicated GRAPH_ID_PATTERN regex and conditional URL building. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>