Backport NuGet auth fix to update_script; Prevent NuGet leaking pas…

…swords in logs (#1256)

updater/bin/update_script.rb

@@ -46,7 +46,10 @@
 require "tinglesoftware/dependabot/clients/azure"
 require "tinglesoftware/dependabot/vulnerabilities"
 
+# Fixes for NuGet feed auth issues
+# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively.
 require "tinglesoftware/azure/artifacts_credential_provider"
+require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers"
 
 # These options try to follow the dry-run.rb script.
 # https://github.com/dependabot/dependabot-core/blob/main/bin/dry-run.rb

updater/bin/update_script_vnext.rb

@@ -10,8 +10,6 @@
 require "tinglesoftware/dependabot/job"
 require "tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command"
 
-require "tinglesoftware/azure/artifacts_credential_provider"
-
 ENV["UPDATER_ONE_CONTAINER"] = "true" # The full end-to-end update will happen in a single container
 ENV["UPDATER_DETERMINISTIC"] = "true" # The list of dependencies to update will be consistent across multiple runs
 

updater/lib/tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers.rb

@@ -75,9 +75,14 @@ def self.package_source_credentials_xml_lines(credentials) # rubocop:disable Met
           # When using DevOps PATs, the token is split into username/password parts; Username is not significant.
           # e.g. token "PAT:12345" --> { "username": "PAT", "password": "12345" }
           #            ":12345"    --> { "username": "", "password": "12345" }
-          #            "12345"     --> { "username": "12345", "password": "12345" }
+          #            "12345"     --> { "username": "12345", "password": "12345" } # username gets redacted to "user"
           source_username = c["username"] || c["token"]&.split(":")&.first
           source_password = c["password"] || c["token"]&.split(":")&.last
+          # NuGet.exe will log the username in plain text to the console, which is not great for security!
+          # If the username and password are the same value, we can assume that "token" auth is being used and that the
+          # username is not significant, so redact it to something generic to avoid leaking sensitive information.
+          # e.g. { "username": "12345", "password": "12345" } --> { "username": "user", "password": "12345" }
+          source_username = "user" if source_username == source_password
           [
             "<#{source_key}>",
             "  <add key=\"Username\" value=\"#{source_username}\" />",

updater/lib/tinglesoftware/dependabot/setup.rb

@@ -65,5 +65,9 @@
 require "dependabot/devcontainers"
 
 # Overrides for dependabot core functionality that are currently not extensible
-require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers"
 require "tinglesoftware/dependabot/overrides/pull_request_creator/pr_name_prefixer"
+
+# Fixes for NuGet feed auth issues
+# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively.
+require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers"
+require "tinglesoftware/azure/artifacts_credential_provider"