Mask auth token in locationUltilities.ts (#325)

* masking secrets in npm get accesstoken

* Update package json

* fix azure-pipelines-tasks-packaging-common repo url.
mask auth token in locationUltilities.ts
fixed some vulnerability by running npm audit fix

* add loc resource string

* fix test cases

Author: tintse-thxsky-MSFT

common-npm-packages/packaging-common/Tests/npm/npmL0.ts

@@ -248,7 +248,8 @@ export function npmcommon() {
             },
             getEndpointAuthorization: (id, optional) => {
                 return { scheme: 'OAuth', parameters: { 'AccessToken': authToken } };
-            }
+            },
+            setSecret : msg => null
         };
         const mockParser = {
             GetRegistries: (npmrc: string) => [registry]

common-npm-packages/packaging-common/locationUtilities.ts

@@ -116,7 +116,8 @@ export function getSystemAccessToken(): string {
     tl.debug('Getting credentials for local feeds');
     const auth = tl.getEndpointAuthorization('SYSTEMVSSCONNECTION', false);
     if (auth.scheme === 'OAuth') {
-        tl.debug('Got auth token');
+        tl.debug(tl.loc("Info_GotAndMaskAuth"));
+        tl.setSecret(auth.parameters['AccessToken']);
         return auth.parameters['AccessToken'];
     } else {
         tl.warning('Could not determine credentials to use');

common-npm-packages/packaging-common/module.json

@@ -14,6 +14,7 @@
         "Info_UsingToolPath": "Using tool path: %s",
         "Info_UsingVersion": "Using version: %s",
         "Info_BasicCredRestriction": "This task now configures NuGet to send these credentials using the Basic scheme\nonly. Most users will be unaffected by this change. If these are Windows domain\ncredentials and they have recently stopped working, try setting the build\nvariable %s to the value '%s' (without quotes).",
+        "Info_GotAndMaskAuth":"Got auth token, setting it as secret so it does not print in console log",
         "NGCommon_AddingSources": "Setting credentials in NuGet.config",
         "NGCommon_AreaNotFoundInSps": "Unable to locate the '%s' [%s] area. The service containing that area may not be available in your region.",
         "NGCommon_DetectedNuGetExtensionsPath": "Detected NuGet extensions loader path (NUGET_EXTENSIONS_PATH environment variable): %s",
@@ -27,6 +28,5 @@
         "NGCommon_UnabletoDetectNuGetVersion": "Unknown NuGet version selected.",
         "NGCommon_UnableToFindTool": "Unable to find tool %s",
         "Warning_SessionCreationFailed": "Could not create provenance session.",
-        "Warning_UpdatingNuGetVersion": "Updating version of NuGet.exe to %s from %s. Behavior changes or breaking changes might occur as NuGet updates to a new version. If this is not desired, uncheck the 'Check for Latest Version' option in the task."
-    }
+        "Warning_UpdatingNuGetVersion": "Updating version of NuGet.exe to %s from %s. Behavior changes or breaking changes might occur as NuGet updates to a new version. If this is not desired, uncheck the 'Check for Latest Version' option in the task."    }
 }

common-npm-packages/packaging-common/package-lock.json

@@ -1,6 +1,6 @@
 {
     "name": "azure-pipelines-tasks-packaging-common",
-    "version": "3.239.0",
+    "version": "3.241.0",
     "description": "Azure Pipelines Packaging Tasks Common",
     "scripts": {
         "test": "mocha _build/Tests/L0.js",
@@ -9,7 +9,7 @@
     "author": "Microsoft Corporation",
     "repository": {
         "type": "git",
-        "url": "https://github.com/Microsoft/azure-pipelines-tasks"
+        "url": "https://github.com/microsoft/azure-pipelines-tasks-common-packages/tree/main/common-npm-packages/packaging-common"
     },
     "license": "MIT",
     "dependencies": {
@@ -27,7 +27,7 @@
         "ltx": "^2.6.2",
         "mocha": "^8.4.0",
         "q": "^1.5.0",
-        "semver": "^5.5.0",
+        "semver": "^5.7.2",
         "typed-rest-client": "1.8.4"
     },
     "devDependencies": {