feat(import): harden untrusted spreadsheet boundaries

2026-03-30 08:02:52 +02:00
parent fac8c1c3a5
commit f6daf21983
13 changed files with 561 additions and 76 deletions
@@ -3,6 +3,7 @@
 import { useState, useRef } from "react";
 import { trpc } from "~/lib/trpc/client.js";
 import { parseSkillMatrixWorkbook, matchRoleName } from "~/lib/skillMatrixParser.js";
+import { assertSpreadsheetFile } from "~/lib/excel.js";
 import type { SkillEntry } from "@capakraken/shared";

 interface ParsedEntry {
@@ -54,6 +55,7 @@ export function BatchSkillImport() {
        );

        try {
+          assertSpreadsheetFile(file, { allowCsv: false, contextLabel: "skill matrix import" });
          const buffer = await file.arrayBuffer();
          const result = await parseSkillMatrixWorkbook(buffer);

@@ -152,7 +154,7 @@ export function BatchSkillImport() {
        </svg>
        <p className="text-sm font-medium text-gray-700 dark:text-gray-300">Click to select multiple .xlsx files</p>
        <p className="text-xs text-gray-400 dark:text-gray-500 mt-1">Name files after resource EID or display name for automatic matching</p>
-        <input ref={fileRef} type="file" accept=".xlsx,.xls" multiple className="hidden" onChange={handleFiles} />
+        <input ref={fileRef} type="file" accept=".xlsx" multiple className="hidden" onChange={handleFiles} />
      </div>

      {/* Summary */}