From bffcd5989d9d6f4a1d24b6d821493a91e30e1adf Mon Sep 17 00:00:00 2001 From: Rhys Koedijk Date: Tue, 30 Jul 2024 23:44:24 +1200 Subject: [PATCH] Backport NuGet auth fix to `update_script`; Prevent NuGet leaking passwords in logs (#1256) --- updater/bin/update_script.rb | 3 +++ updater/bin/update_script_vnext.rb | 2 -- .../overrides/nuget/nuget_config_credential_helpers.rb | 7 ++++++- updater/lib/tinglesoftware/dependabot/setup.rb | 6 +++++- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/updater/bin/update_script.rb b/updater/bin/update_script.rb index 1cf6c8b9..dae45545 100644 --- a/updater/bin/update_script.rb +++ b/updater/bin/update_script.rb @@ -46,7 +46,10 @@ require "tinglesoftware/dependabot/clients/azure" require "tinglesoftware/dependabot/vulnerabilities" +# Fixes for NuGet feed auth issues +# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively. require "tinglesoftware/azure/artifacts_credential_provider" +require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers" # These options try to follow the dry-run.rb script. # https://github.com/dependabot/dependabot-core/blob/main/bin/dry-run.rb diff --git a/updater/bin/update_script_vnext.rb b/updater/bin/update_script_vnext.rb index d603b63f..36b10c8e 100644 --- a/updater/bin/update_script_vnext.rb +++ b/updater/bin/update_script_vnext.rb @@ -10,8 +10,6 @@ require "tinglesoftware/dependabot/job" require "tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command" -require "tinglesoftware/azure/artifacts_credential_provider" - ENV["UPDATER_ONE_CONTAINER"] = "true" # The full end-to-end update will happen in a single container ENV["UPDATER_DETERMINISTIC"] = "true" # The list of dependencies to update will be consistent across multiple runs diff --git a/updater/lib/tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers.rb b/updater/lib/tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers.rb index 45e16f64..43a98d3d 100644 --- a/updater/lib/tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers.rb +++ b/updater/lib/tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers.rb @@ -75,9 +75,14 @@ def self.package_source_credentials_xml_lines(credentials) # rubocop:disable Met # When using DevOps PATs, the token is split into username/password parts; Username is not significant. # e.g. token "PAT:12345" --> { "username": "PAT", "password": "12345" } # ":12345" --> { "username": "", "password": "12345" } - # "12345" --> { "username": "12345", "password": "12345" } + # "12345" --> { "username": "12345", "password": "12345" } # username gets redacted to "user" source_username = c["username"] || c["token"]&.split(":")&.first source_password = c["password"] || c["token"]&.split(":")&.last + # NuGet.exe will log the username in plain text to the console, which is not great for security! + # If the username and password are the same value, we can assume that "token" auth is being used and that the + # username is not significant, so redact it to something generic to avoid leaking sensitive information. + # e.g. { "username": "12345", "password": "12345" } --> { "username": "user", "password": "12345" } + source_username = "user" if source_username == source_password [ "<#{source_key}>", " ", diff --git a/updater/lib/tinglesoftware/dependabot/setup.rb b/updater/lib/tinglesoftware/dependabot/setup.rb index 4e09e472..5b0083a1 100644 --- a/updater/lib/tinglesoftware/dependabot/setup.rb +++ b/updater/lib/tinglesoftware/dependabot/setup.rb @@ -65,5 +65,9 @@ require "dependabot/devcontainers" # Overrides for dependabot core functionality that are currently not extensible -require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers" require "tinglesoftware/dependabot/overrides/pull_request_creator/pr_name_prefixer" + +# Fixes for NuGet feed auth issues +# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively. +require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers" +require "tinglesoftware/azure/artifacts_credential_provider"