make unprotect errors noisier, fix problem saving protected tree, add test

Evidlo · Evidlo · commit 9f517fefcbcd · 2021-03-15T11:29:51.000-05:00
fix protected-&gt;Protected attribute
add PyKeePass.reload()
dont modify protected value while parsing XML
diff --git a/pykeepass/entry.py b/pykeepass/entry.py
@@ -49,7 +49,7 @@ def __init__(self, title=None, username=None, password=None, url=None,
             self._element.append(E.String(E.Key('Title'), E.Value(title)))
             self._element.append(E.String(E.Key('UserName'), E.Value(username)))
             self._element.append(
-                E.String(E.Key('Password'), E.Value(password, protected="False"))
+                E.String(E.Key('Password'), E.Value(password, Protected="True"))
             )
             if url:
                 self._element.append(E.String(E.Key('URL'), E.Value(url)))
diff --git a/pykeepass/kdbx_parsing/common.py b/pykeepass/kdbx_parsing/common.py
@@ -8,6 +8,7 @@
 from lxml import etree
 from copy import deepcopy
 import base64
+from binascii import Error as BinasciiError
 import unicodedata
 import zlib
 import re
@@ -191,7 +192,6 @@ class UnprotectedStream(Adapter):
     provided by get_cipher"""
 
     protected_xpath = '//Value[@Protected=\'True\']'
-    unprotected_xpath = '//Value[@Protected=\'False\']'
 
     def __init__(self, protected_stream_key, subcon):
         super(UnprotectedStream, self).__init__(subcon)
@@ -201,29 +201,33 @@ def _decode(self, tree, con, path):
         cipher = self.get_cipher(self.protected_stream_key(con))
         for elem in tree.xpath(self.protected_xpath):
             if elem.text is not None:
-                result = cipher.decrypt(base64.b64decode(elem.text)).decode('utf-8')
-                # strip invalid XML characters - https://stackoverflow.com/questions/8733233
-                result = re.sub(
-                    u'[^\u0020-\uD7FF\u0009\u000A\u000D\uE000-\uFFFD\U00010000-\U0010FFFF]+',
-                    '',
-                    result
-                )
-                elem.text = result
-            elem.attrib['Protected'] = 'False'
+                try:
+                    result = cipher.decrypt(base64.b64decode(elem.text)).decode('utf-8')
+                    # strip invalid XML characters - https://stackoverflow.com/questions/8733233
+                    result = re.sub(
+                        u'[^\u0020-\uD7FF\u0009\u000A\u000D\uE000-\uFFFD\U00010000-\U0010FFFF]+',
+                        '',
+                        result
+                    )
+                    elem.text = result
+                except (UnicodeDecodeError, BinasciiError, ValueError):
+                    # FIXME: this should be a warning eventually, need to fix all databases in tests/ first
+                    log.error(
+                        "Element at {} marked as protected, but could not unprotect".format(tree.getpath(elem))
+                    )
         return tree
 
     def _encode(self, tree, con, path):
         tree_copy = deepcopy(tree)
         cipher = self.get_cipher(self.protected_stream_key(con))
-        for elem in tree_copy.xpath(self.unprotected_xpath):
+        for elem in tree_copy.xpath(self.protected_xpath):
             if elem.text is not None:
                 elem.text = base64.b64encode(
                     cipher.encrypt(
                         elem.text.encode('utf-8')
                     )
                 )
-            elem.attrib['Protected'] = 'True'
-        return tree
+        return tree_copy
 
 
 class ARCFourVariantStream(UnprotectedStream):
diff --git a/pykeepass/pykeepass.py b/pykeepass/pykeepass.py
@@ -123,6 +123,11 @@ def read(self, filename=None, password=None, keyfile=None,
             else:
                 raise
 
+    def reload(self):
+        """Reload current database using previous credentials """
+
+        self.read(self.filename, self.password, self.keyfile)
+
     def save(self, filename=None, transformed_key=None):
         """Save current database object to disk.
 
diff --git a/tests/tests.py b/tests/tests.py
@@ -842,6 +842,15 @@ def test_issue193(self):
         self.assertTrue(g.name is None)
         self.assertTrue(g in self.kp.groups)
 
+    def test_issue194(self):
+        # entries with Protected=True aren't being protected properly
+
+        self.kp_tmp.add_entry(self.kp_tmp.root_group, 'protect_test', 'user', 'pass')
+        self.kp_tmp.save()
+        self.kp_tmp.reload()
+        e = self.kp_tmp.find_entries(title='protect_test', first=True)
+        self.assertEqual(e.password, 'pass')
+
 
 
 class EntryFindTests4(KDBX4Tests, EntryFindTests3):

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ def __init__(self, title=None, username=None, password=None, url=None,`
`49`	`49`	`self._element.append(E.String(E.Key('Title'), E.Value(title)))`
`50`	`50`	`self._element.append(E.String(E.Key('UserName'), E.Value(username)))`
`51`	`51`	`self._element.append(`
`52`		`- E.String(E.Key('Password'), E.Value(password, protected="False"))`
	`52`	`+ E.String(E.Key('Password'), E.Value(password, Protected="True"))`
`53`	`53`	`)`
`54`	`54`	`if url:`
`55`	`55`	`self._element.append(E.String(E.Key('URL'), E.Value(url)))`