fix(microsoft-excel): use validateMicrosoftGraphId for driveId validation

waleedlatif1 · claude · waleedlatif1 · commit 3be18cab8655 · 2026-04-14T19:25:02.000-07:00
SharePoint drive IDs use the format b!&lt;base64-string&gt; which contains !
characters rejected by validateAlphanumericId. Switch all driveId
validation to validateMicrosoftGraphId which blocks path traversal and
control characters while accepting valid Microsoft Graph identifiers.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/auth/oauth/microsoft/files/route.ts b/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { validateAlphanumericId } from '@/lib/core/security/input-validation'
+import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getCredential, refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -77,7 +77,7 @@ export async function GET(request: NextRequest) {
     // When driveId is provided (SharePoint), search within that specific drive.
     // Otherwise, search the user's personal OneDrive.
     if (driveId) {
-      const driveIdValidation = validateAlphanumericId(driveId, 'driveId')
+      const driveIdValidation = validateMicrosoftGraphId(driveId, 'driveId')
       if (!driveIdValidation.isValid) {
         return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
       }
diff --git a/apps/sim/app/api/tools/microsoft_excel/drives/route.ts b/apps/sim/app/api/tools/microsoft_excel/drives/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import {
-  validateAlphanumericId,
+  validateMicrosoftGraphId,
   validateSharePointSiteId,
 } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -70,7 +70,7 @@ export async function POST(request: NextRequest) {
 
     // Single-drive lookup when driveId is provided (used by fetchById)
     if (driveId) {
-      const driveIdValidation = validateAlphanumericId(driveId, 'driveId')
+      const driveIdValidation = validateMicrosoftGraphId(driveId, 'driveId')
       if (!driveIdValidation.isValid) {
         return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
       }
diff --git a/apps/sim/app/api/tools/microsoft_excel/sheets/route.ts b/apps/sim/app/api/tools/microsoft_excel/sheets/route.ts
@@ -1,10 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import {
-  validateAlphanumericId,
-  validateMicrosoftGraphId,
-} from '@/lib/core/security/input-validation'
+import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -72,7 +69,7 @@ export async function GET(request: NextRequest) {
     }
 
     if (driveId) {
-      const driveIdValidation = validateAlphanumericId(driveId, 'driveId')
+      const driveIdValidation = validateMicrosoftGraphId(driveId, 'driveId')
       if (!driveIdValidation.isValid) {
         return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
       }
diff --git a/apps/sim/tools/microsoft_excel/utils.ts b/apps/sim/tools/microsoft_excel/utils.ts
@@ -1,8 +1,5 @@
 import { createLogger } from '@sim/logger'
-import {
-  validateAlphanumericId,
-  validateMicrosoftGraphId,
-} from '@/lib/core/security/input-validation'
+import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import type { ExcelCellValue } from '@/tools/microsoft_excel/types'
 
 const logger = createLogger('MicrosoftExcelUtils')
@@ -19,7 +16,7 @@ export function getItemBasePath(spreadsheetId: string, driveId?: string): string
   }
 
   if (driveId) {
-    const driveValidation = validateAlphanumericId(driveId, 'driveId')
+    const driveValidation = validateMicrosoftGraphId(driveId, 'driveId')
     if (!driveValidation.isValid) {
       throw new Error(driveValidation.error)
     }
