fix(microsoft-excel): use centralized input validation

Replace inline regex validation with platform validators from
@/lib/core/security/input-validation:
- validateSharePointSiteId for siteId in drives route
- validateAlphanumericId for driveId in drives, sheets, files routes
  and getItemBasePath utility

Author: waleedlatif1

apps/sim/app/api/auth/oauth/microsoft/files/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getCredential, refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -75,8 +76,11 @@ export async function GET(request: NextRequest) {
 
     // When driveId is provided (SharePoint), search within that specific drive.
     // Otherwise, search the user's personal OneDrive.
-    if (driveId && !/^[\w-]+$/.test(driveId)) {
-      return NextResponse.json({ error: 'Invalid drive ID format' }, { status: 400 })
+    if (driveId) {
+      const driveIdValidation = validateAlphanumericId(driveId, 'driveId')
+      if (!driveIdValidation.isValid) {
+        return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
+      }
     }
     const drivePath = driveId ? `drives/${driveId}` : 'me/drive'
 

apps/sim/app/api/tools/microsoft_excel/drives/route.ts

@@ -1,6 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import {
+  validateAlphanumericId,
+  validateSharePointSiteId,
+} from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -37,9 +41,10 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Site ID is required' }, { status: 400 })
     }
 
-    if (!/^[\w.,;:-]+$/.test(siteId)) {
+    const siteIdValidation = validateSharePointSiteId(siteId, 'siteId')
+    if (!siteIdValidation.isValid) {
       logger.warn(`[${requestId}] Invalid siteId format`)
-      return NextResponse.json({ error: 'Invalid site ID format' }, { status: 400 })
+      return NextResponse.json({ error: siteIdValidation.error }, { status: 400 })
     }
 
     const authz = await authorizeCredentialUse(request, {
@@ -65,8 +70,9 @@ export async function POST(request: NextRequest) {
 
     // Single-drive lookup when driveId is provided (used by fetchById)
     if (driveId) {
-      if (!/^[\w-]+$/.test(driveId)) {
-        return NextResponse.json({ error: 'Invalid drive ID format' }, { status: 400 })
+      const driveIdValidation = validateAlphanumericId(driveId, 'driveId')
+      if (!driveIdValidation.isValid) {
+        return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
       }
 
       const url = `https://graph.microsoft.com/v1.0/sites/${siteId}/drives/${driveId}?$select=id,name,driveType,webUrl`

apps/sim/app/api/tools/microsoft_excel/sheets/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -62,8 +63,11 @@ export async function GET(request: NextRequest) {
       `[${requestId}] Fetching worksheets from Microsoft Graph API for workbook ${spreadsheetId}`
     )
 
-    if (driveId && !/^[\w-]+$/.test(driveId)) {
-      return NextResponse.json({ error: 'Invalid drive ID format' }, { status: 400 })
+    if (driveId) {
+      const driveIdValidation = validateAlphanumericId(driveId, 'driveId')
+      if (!driveIdValidation.isValid) {
+        return NextResponse.json({ error: driveIdValidation.error }, { status: 400 })
+      }
     }
 
     const basePath = driveId

apps/sim/blocks/blocks/microsoft_excel.ts

@@ -407,7 +407,7 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       dependsOn: ['credential'],
       mode: 'basic',
     },
-    // SharePoint Drive Selector (basic mode, depends on site)
+    // SharePoint Drive Selector (basic mode, only visible when a site is selected)
     {
       id: 'driveSelector',
       title: 'Document Library',

apps/sim/tools/microsoft_excel/utils.ts

@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import type { ExcelCellValue } from '@/tools/microsoft_excel/types'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 
 const logger = createLogger('MicrosoftExcelUtils')
 
@@ -10,8 +11,9 @@ const logger = createLogger('MicrosoftExcelUtils')
  */
 export function getItemBasePath(spreadsheetId: string, driveId?: string): string {
   if (driveId) {
-    if (!/^[\w-]+$/.test(driveId)) {
-      throw new Error('Invalid drive ID format')
+    const validation = validateAlphanumericId(driveId, 'driveId')
+    if (!validation.isValid) {
+      throw new Error(validation.error)
     }
     return `https://graph.microsoft.com/v1.0/drives/${driveId}/items/${spreadsheetId}`
   }