From a8ebff04a343031f8f092964f62775aba7087702 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Fri, 17 Oct 2025 20:58:26 -0600 Subject: [PATCH] fix: harden dpapi protect fallback --- Data/Agent/security.py | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/Data/Agent/security.py b/Data/Agent/security.py index 890c005..475d1ee 100644 --- a/Data/Agent/security.py +++ b/Data/Agent/security.py @@ -42,8 +42,18 @@ def _protect(data: bytes, *, scope_system: bool) -> bytes: flags = 0 if scope_system: flags = getattr(win32crypt, "CRYPTPROTECT_LOCAL_MACHINE", 0x4) - protected = win32crypt.CryptProtectData(data, None, None, None, None, flags) # type: ignore[attr-defined] - return protected[1] + try: + protected = win32crypt.CryptProtectData(data, None, None, None, None, flags) # type: ignore[attr-defined] + except Exception: + return data + blob = protected[1] + if isinstance(blob, memoryview): + return blob.tobytes() + if isinstance(blob, bytearray): + return bytes(blob) + if isinstance(blob, bytes): + return blob + return data def _unprotect(data: bytes, *, scope_system: bool) -> bytes: @@ -52,8 +62,18 @@ def _unprotect(data: bytes, *, scope_system: bool) -> bytes: flags = 0 if scope_system: flags = getattr(win32crypt, "CRYPTPROTECT_LOCAL_MACHINE", 0x4) - unwrapped = win32crypt.CryptUnprotectData(data, None, None, None, None, flags) # type: ignore[attr-defined] - return unwrapped[1] + try: + unwrapped = win32crypt.CryptUnprotectData(data, None, None, None, None, flags) # type: ignore[attr-defined] + except Exception: + return data + blob = unwrapped[1] + if isinstance(blob, memoryview): + return blob.tobytes() + if isinstance(blob, bytearray): + return bytes(blob) + if isinstance(blob, bytes): + return blob + return data def _fingerprint_der(public_der: bytes) -> str: