fix(microsoft-excel): use validatePathSegment with strict pattern for driveId/spreadsheetId

Replace validateMicrosoftGraphId with validatePathSegment using a custom
pattern ^[a-zA-Z0-9!_-]+$ for all URL-interpolated IDs. validatePathSegment
blocks /, \, path traversal, and null bytes before checking the pattern,
preventing URL-modifying characters like ?, #, & from altering the Graph
API endpoint. The pattern allows ! for SharePoint b!<base64> drive IDs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/auth/oauth/microsoft/files/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
+import { validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getCredential, refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -77,7 +77,10 @@ export async function GET(request: NextRequest) {
     // When driveId is provided (SharePoint), search within that specific drive.
     // Otherwise, search the user's personal OneDrive.
     if (driveId) {
-      const driveIdValidation = validateMicrosoftGraphId(driveId, 'driveId')
+      const driveIdValidation = validatePathSegment(driveId, {
+        paramName: 'driveId',
+        customPattern: /^[a-zA-Z0-9!_-]+$/,
+      })
       if (!driveIdValidation.isValid) {
         return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
       }

apps/sim/app/api/tools/microsoft_excel/drives/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import {
-  validateMicrosoftGraphId,
+  validatePathSegment,
   validateSharePointSiteId,
 } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -70,7 +70,10 @@ export async function POST(request: NextRequest) {
 
     // Single-drive lookup when driveId is provided (used by fetchById)
     if (driveId) {
-      const driveIdValidation = validateMicrosoftGraphId(driveId, 'driveId')
+      const driveIdValidation = validatePathSegment(driveId, {
+        paramName: 'driveId',
+        customPattern: /^[a-zA-Z0-9!_-]+$/,
+      })
       if (!driveIdValidation.isValid) {
         return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
       }

apps/sim/app/api/tools/microsoft_excel/sheets/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
+import { validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -63,13 +63,21 @@ export async function GET(request: NextRequest) {
       `[${requestId}] Fetching worksheets from Microsoft Graph API for workbook ${spreadsheetId}`
     )
 
-    const spreadsheetValidation = validateMicrosoftGraphId(spreadsheetId, 'spreadsheetId')
+    const graphIdPattern = /^[a-zA-Z0-9!_-]+$/
+
+    const spreadsheetValidation = validatePathSegment(spreadsheetId, {
+      paramName: 'spreadsheetId',
+      customPattern: graphIdPattern,
+    })
     if (!spreadsheetValidation.isValid) {
       return NextResponse.json({ error: spreadsheetValidation.error }, { status: 400 })
     }
 
     if (driveId) {
-      const driveIdValidation = validateMicrosoftGraphId(driveId, 'driveId')
+      const driveIdValidation = validatePathSegment(driveId, {
+        paramName: 'driveId',
+        customPattern: graphIdPattern,
+      })
       if (!driveIdValidation.isValid) {
         return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
       }

apps/sim/tools/microsoft_excel/utils.ts

@@ -1,5 +1,5 @@
 import { createLogger } from '@sim/logger'
-import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
+import { validatePathSegment } from '@/lib/core/security/input-validation'
 import type { ExcelCellValue } from '@/tools/microsoft_excel/types'
 
 const logger = createLogger('MicrosoftExcelUtils')
@@ -9,14 +9,23 @@ const logger = createLogger('MicrosoftExcelUtils')
  * When driveId is provided, uses /drives/{driveId}/items/{itemId} (SharePoint/shared drives).
  * When driveId is omitted, uses /me/drive/items/{itemId} (personal OneDrive).
  */
+/** Pattern for Microsoft Graph item/drive IDs: alphanumeric, hyphens, underscores, and ! (for SharePoint b!<base64> format) */
+const GRAPH_ID_PATTERN = /^[a-zA-Z0-9!_-]+$/
+
 export function getItemBasePath(spreadsheetId: string, driveId?: string): string {
-  const spreadsheetValidation = validateMicrosoftGraphId(spreadsheetId, 'spreadsheetId')
+  const spreadsheetValidation = validatePathSegment(spreadsheetId, {
+    paramName: 'spreadsheetId',
+    customPattern: GRAPH_ID_PATTERN,
+  })
   if (!spreadsheetValidation.isValid) {
     throw new Error(spreadsheetValidation.error)
   }
 
   if (driveId) {
-    const driveValidation = validateMicrosoftGraphId(driveId, 'driveId')
+    const driveValidation = validatePathSegment(driveId, {
+      paramName: 'driveId',
+      customPattern: GRAPH_ID_PATTERN,
+    })
     if (!driveValidation.isValid) {
       throw new Error(driveValidation.error)
     }