fix(microsoft-excel): address PR review comments

waleedlatif1 · waleedlatif1 · commit 61622531de25 · 2026-04-14T14:42:24.000-07:00
- Validate siteId/driveId format in drives route to prevent path traversal
- Use direct single-drive endpoint for fetchById instead of filtering full list
- Fix dependsOn on sheet/spreadsheet selectors so driveId flows into context
- Fix NextRequest type in drives route for build compatibility
diff --git a/apps/sim/app/api/tools/microsoft_excel/drives/route.ts b/apps/sim/app/api/tools/microsoft_excel/drives/route.ts
@@ -1,5 +1,5 @@
 import { createLogger } from '@sim/logger'
-import { NextResponse } from 'next/server'
+import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -20,12 +20,12 @@ interface GraphDrive {
  * Used by the microsoft.excel.drives selector to let users pick
  * which drive contains their Excel file.
  */
-export async function POST(request: Request) {
+export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
     const body = await request.json()
-    const { credential, workflowId, siteId } = body
+    const { credential, workflowId, siteId, driveId } = body
 
     if (!credential) {
       logger.warn(`[${requestId}] Missing credential in request`)
@@ -37,7 +37,12 @@ export async function POST(request: Request) {
       return NextResponse.json({ error: 'Site ID is required' }, { status: 400 })
     }
 
-    const authz = await authorizeCredentialUse(request as Request, {
+    if (!/^[\w.,;:-]+$/.test(siteId)) {
+      logger.warn(`[${requestId}] Invalid siteId format`)
+      return NextResponse.json({ error: 'Invalid site ID format' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request, {
       credentialId: credential,
       workflowId,
     })
@@ -58,6 +63,35 @@ export async function POST(request: Request) {
       )
     }
 
+    // Single-drive lookup when driveId is provided (used by fetchById)
+    if (driveId) {
+      if (!/^[\w-]+$/.test(driveId)) {
+        return NextResponse.json({ error: 'Invalid drive ID format' }, { status: 400 })
+      }
+
+      const url = `https://graph.microsoft.com/v1.0/sites/${siteId}/drives/${driveId}?$select=id,name,driveType,webUrl`
+      const response = await fetch(url, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      })
+
+      if (!response.ok) {
+        const errorData = await response
+          .json()
+          .catch(() => ({ error: { message: 'Unknown error' } }))
+        return NextResponse.json(
+          { error: errorData.error?.message || 'Failed to fetch drive' },
+          { status: response.status }
+        )
+      }
+
+      const data: GraphDrive = await response.json()
+      return NextResponse.json(
+        { drive: { id: data.id, name: data.name, driveType: data.driveType } },
+        { status: 200 }
+      )
+    }
+
+    // List all drives for the site
     const url = `https://graph.microsoft.com/v1.0/sites/${siteId}/drives?$select=id,name,driveType,webUrl`
 
     const response = await fetch(url, {
diff --git a/apps/sim/blocks/blocks/microsoft_excel.ts b/apps/sim/blocks/blocks/microsoft_excel.ts
@@ -431,7 +431,7 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       requiredScopes: [],
       mimeType: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
       placeholder: 'Select a spreadsheet',
-      dependsOn: ['credential'],
+      dependsOn: { all: ['credential'], any: ['driveSelector'] },
       mode: 'basic',
     },
     // Manual Spreadsheet ID (advanced mode)
@@ -441,7 +441,7 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       type: 'short-input',
       canonicalParamId: 'spreadsheetId',
       placeholder: 'Enter spreadsheet ID',
-      dependsOn: ['credential'],
+      dependsOn: { all: ['credential'], any: ['manualDriveId'] },
       mode: 'advanced',
     },
     // Drive ID for SharePoint (advanced mode)
@@ -464,7 +464,10 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       selectorAllowSearch: false,
       placeholder: 'Select a sheet',
       required: true,
-      dependsOn: { all: ['credential'], any: ['spreadsheetId', 'manualSpreadsheetId'] },
+      dependsOn: {
+        all: ['credential'],
+        any: ['spreadsheetId', 'manualSpreadsheetId', 'driveSelector'],
+      },
       mode: 'basic',
     },
     // Manual Sheet Name (advanced mode)
@@ -475,7 +478,10 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       canonicalParamId: 'sheetName',
       placeholder: 'Name of the sheet/tab (e.g., Sheet1)',
       required: true,
-      dependsOn: ['credential'],
+      dependsOn: {
+        all: ['credential'],
+        any: ['manualDriveId'],
+      },
       mode: 'advanced',
     },
     // Cell Range (optional for read/write)
diff --git a/apps/sim/hooks/selectors/registry.ts b/apps/sim/hooks/selectors/registry.ts
@@ -1561,18 +1561,20 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
     fetchById: async ({ context, detailId }: SelectorQueryArgs) => {
       if (!detailId || !context.siteId) return null
       const credentialId = ensureCredential(context, 'microsoft.excel.drives')
-      const body = JSON.stringify({
-        credential: credentialId,
-        workflowId: context.workflowId,
-        siteId: context.siteId,
-      })
-      const data = await fetchJson<{ drives: { id: string; name: string }[] }>(
+      const data = await fetchJson<{ drive: { id: string; name: string } }>(
         '/api/tools/microsoft_excel/drives',
-        { method: 'POST', body }
+        {
+          method: 'POST',
+          body: JSON.stringify({
+            credential: credentialId,
+            workflowId: context.workflowId,
+            siteId: context.siteId,
+            driveId: detailId,
+          }),
+        }
       )
-      const drive = (data.drives || []).find((d) => d.id === detailId) ?? null
-      if (!drive) return null
-      return { id: drive.id, label: drive.name }
+      if (!data.drive) return null
+      return { id: data.drive.id, label: data.drive.name }
     },
   },
   'microsoft.excel': {
