fix(datasource/pypi): sanitize GAR userinfo for authenticated lookups (#42541)

* fix(datasource/pypi): sanitize GAR userinfo for authenticated lookups

Strip URL userinfo from Google Artifact Registry PyPI lookup URLs only when
Google auth is being applied. This avoids got-derived Basic auth conflicts for
uv-style index URLs while keeping the change narrowly scoped to authenticated
datasource requests.

* Test getAuthHeaders with invalid URL

* Parse the URL once

* Remove cast and ignore error

* Remove test and add v8 ignore comment

---------

Co-authored-by: Michael Kriese <michael.kriese@visualon.de>

Author: maxbrunet

lib/modules/datasource/pypi/index.spec.ts

@@ -827,6 +827,40 @@ describe('modules/datasource/pypi/index', () => {
     expect(googleAuth).toHaveBeenCalledTimes(1);
   });
 
+  it('sanitizes GAR userinfo when Google auth is used', async () => {
+    httpMock
+      .scope('https://someregion-python.pkg.dev/some-project/some-repo/simple/')
+      .get('/dj-database-url/')
+      .reply(200, htmlResponse);
+    const config = {
+      registryUrls: [
+        'https://oauth2accesstoken@someregion-python.pkg.dev/some-project/some-repo/simple/',
+      ],
+    };
+    googleAuth.mockImplementationOnce(
+      // TODO: fix typing
+      vi.fn<any>(
+        class {
+          getAccessToken = vi.fn().mockResolvedValue('some-token');
+        },
+      ),
+    );
+    expect(
+      await getPkgReleases({
+        datasource,
+        ...config,
+        constraints: { python: '2.7' },
+        packageName: 'dj-database-url',
+      }),
+    ).toMatchObject({
+      isPrivate: true,
+      registryUrl:
+        'https://oauth2accesstoken@someregion-python.pkg.dev/some-project/some-repo/simple',
+      releases: djDatabaseUrlSimpleReleases,
+    });
+    expect(googleAuth).toHaveBeenCalledTimes(1);
+  });
+
   it('ignores an invalid URL when checking for auth headers', async () => {
     const config = {
       registryUrls: ['not-a-url/simple/'],

lib/modules/datasource/pypi/index.ts

@@ -82,23 +82,38 @@ export class PypiDatasource extends Datasource {
     return dependency;
   }
 
+  private sanitizeLookupUrl(lookupUrl: string, parsedUrl: URL): string {
+    if (!parsedUrl.username && !parsedUrl.password) {
+      return lookupUrl;
+    }
+
+    parsedUrl.username = '';
+    parsedUrl.password = '';
+    return parsedUrl.toString();
+  }
+
   private async getAuthHeaders(
     lookupUrl: string,
-  ): Promise<OutgoingHttpHeaders> {
+  ): Promise<{ headers: OutgoingHttpHeaders; lookupUrl: string }> {
     const parsedUrl = parseUrl(lookupUrl);
+    // v8 ignore if -- TODO: refactor to cover this branch through public behavior again
     if (!parsedUrl) {
       logger.once.debug({ lookupUrl }, 'Failed to parse URL');
-      return {};
+      return { headers: {}, lookupUrl };
     }
     if (parsedUrl.hostname.endsWith('.pkg.dev')) {
       const auth = await getGoogleAuthToken();
       if (auth) {
-        return { authorization: `Basic ${auth}` };
+        const sanitizedLookupUrl = this.sanitizeLookupUrl(lookupUrl, parsedUrl);
+        return {
+          headers: { authorization: `Basic ${auth}` },
+          lookupUrl: sanitizedLookupUrl,
+        };
       }
       logger.once.debug({ lookupUrl }, 'Could not get Google access token');
-      return {};
+      return { headers: {}, lookupUrl };
     }
-    return {};
+    return { headers: {}, lookupUrl };
   }
 
   private async getDependency(
@@ -111,8 +126,9 @@ export class PypiDatasource extends Datasource {
     ).href;
     const dependency: ReleaseResult = { releases: [] };
     logger.trace({ lookupUrl }, 'Pypi api got lookup');
-    const headers = await this.getAuthHeaders(lookupUrl);
-    const rep = await this.http.getJsonUnchecked<PypiJSON>(lookupUrl, {
+    const { headers, lookupUrl: sanitizedUrl } =
+      await this.getAuthHeaders(lookupUrl);
+    const rep = await this.http.getJsonUnchecked<PypiJSON>(sanitizedUrl, {
       headers,
     });
     const dep = rep?.body;
@@ -259,8 +275,9 @@ export class PypiDatasource extends Datasource {
       hostUrl,
     ).href;
     const dependency: ReleaseResult = { releases: [] };
-    const headers = await this.getAuthHeaders(lookupUrl);
-    const response = await this.http.getText(lookupUrl, { headers });
+    const { headers, lookupUrl: sanitizedUrl } =
+      await this.getAuthHeaders(lookupUrl);
+    const response = await this.http.getText(sanitizedUrl, { headers });
     const dep = response?.body;
     if (!dep) {
       logger.trace({ dependency: packageName }, 'pip package not found');