Skip to content

Use pytricia for ip matching on non-windows machines #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bitterpanda63 merged 45 commits into from
Feb 6, 2026
Merged

Use pytricia for ip matching on non-windows machines #547

bitterpanda63 merged 45 commits into from
Feb 6, 2026

Conversation

@bitterpanda63
Copy link
Member

@bitterpanda63 bitterpanda63 commented Dec 8, 2025
edited by aikido-pr-checks bot
Loading

Summary by Aikido

⚠️ Security Issues: 1 🔍 Quality Issues: 4 Resolved Issues: 0

🚀 New Features

  • Introduced pure-Python ip_matcher_fallback implementation and modules

⚡ Enhancements

  • Enabled optional pytricia usage with preparse and warning message

🔧 Refactors

  • Refactored callers to pass network lists to IPMatcher constructor

More info

@bitterpanda63 bitterpanda63 changed the title IPMatcher: Switch node logic out in favour of pytricia Use pytricia for ip matching on non-windows machines Jan 14, 2026
bitterpanda63
bitterpanda63 commented Jan 14, 2026
View reviewed changes
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Jan 14, 2026
View reviewed changes
timokoessler
timokoessler approved these changes Jan 15, 2026
View reviewed changes
timokoessler
timokoessler reviewed Jan 15, 2026
View reviewed changes
aikido_zen/helpers/ip_matcher_fallback/init_test.py

def test_with_ranges():
input_list = [
"192.168.0.0/24",
Copy link
Member

@timokoessler timokoessler Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe good to test with multiple overlapping ranges too?

Copy link
Member Author

@bitterpanda63 bitterpanda63 Jan 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these test cases are from node iirc? (also a bit out of scope, since this was existing code copied over)

hansott
hansott reviewed Jan 15, 2026
View reviewed changes
aikido_zen/helpers/ip_matcher_fallback/init_test.py
matcher = IPMatcher(input_list)
assert matcher.has("::ffff:0.0.0.0") == True
assert matcher.has("::ffff:127.0.0.1") == True
assert matcher.has("::ffff:123") == False
Copy link
Member

@hansott hansott Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so this case is different for both?

Copy link
Member Author

@bitterpanda63 bitterpanda63 Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, PyTricia is more accurate in this regard, this is also not a huge issue, and I think no one is running with windows in production. Given IPC also doesnt work

hansott
hansott reviewed Jan 15, 2026
View reviewed changes
@bitterpanda63
Fix one test case in ip_matcher
5944920
@bitterpanda63
change py version
0474f04
@bitterpanda63
Revert "change py version"
18535ab 
This reverts commit 7e31023.
@bitterpanda63
add ip_matcher_fallback back in
dc9988f
@bitterpanda63
install pytricia only if the platform is not windows, if the platform…
c17f6ec 
… is windows use fallback
@bitterpanda63
re-lock
245723c
@bitterpanda63
Update comment explaining why we have the fallback
3fcd7b4
@bitterpanda63
also put app start in the re-try github action
a258f30
@bitterpanda63
add the removed test cases back in
8d117fb
@bitterpanda63
Don't run poetry install quietly
b2380ec
@bitterpanda63
install: ignore failures
8be88b0
@bitterpanda63
Revert "also put app start in the re-try github action"
c524a59 
This reverts commit d032fdd.
@bitterpanda63
Update aikido_zen/helpers/ip_matcher/__init__.py
d3ec3b6
@bitterpanda63
add comment explaining SystemError
7ae85e9
@bitterpanda63
update fallback comment to be clearer
178be55
@bitterpanda63
Test an edge case
4910099
@bitterpanda63
test edge case again
21b30a7
bitterpanda63
bitterpanda63 commented Feb 5, 2026
View reviewed changes
bitterpanda63
bitterpanda63 commented Feb 5, 2026
View reviewed changes
bitterpanda63
bitterpanda63 commented Feb 5, 2026
View reviewed changes
bitterpanda63
bitterpanda63 commented Feb 5, 2026
View reviewed changes
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Feb 5, 2026
View reviewed changes
aikido_zen/vulnerabilities/ssrf/imds.py
# Block the IP address used by Alibaba Cloud
imds_addresses.add("100.100.100.200")
imds_addresses.add(map_ipv4_to_ipv6("100.100.100.200"))
imds_addresses = IPMatcher(
Copy link

@aikido-pr-checks aikido-pr-checks bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imds_addresses is a module-level IPMatcher initialized at import; it will persist across requests and may unintentionally cache data between requests. Consider making it request-scoped or explicitly documenting intended shared cache.

Details

✨ AI Reasoning
​A module-level variable is being initialized during import and stored for the process lifetime. This can unintentionally cache request- or environment-specific data between requests/workers, causing cross-request leakage or stale data. The change replaces the prior empty-initialization line with a populated IPMatcher created at module import, increasing the chance that runtime state is shared across requests.

🔧 How do I fix it?
Avoid storing request-specific data in module-level variables. Use request-scoped variables or explicitly mark shared caches as intentional.

Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

@bitterpanda63 bitterpanda63 merged commit d2b2c95 into main Feb 6, 2026
84 checks passed
@bitterpanda63 bitterpanda63 deleted the test-with-pytricia branch February 6, 2026 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timokoessler timokoessler timokoessler approved these changes

@hansott hansott hansott approved these changes

+1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bitterpanda63 @hansott @timokoessler