Skip to content

Use pytricia for ip matching on non-windows machines #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bitterpanda63 wants to merge 42 commits into
base: main
Choose a base branch
from
Open

Use pytricia for ip matching on non-windows machines #547

bitterpanda63 wants to merge 42 commits into from

Conversation

@bitterpanda63
Copy link
Member

@bitterpanda63 bitterpanda63 commented Dec 8, 2025
edited by aikido-pr-checks bot
Loading

Summary by Aikido

⚠️ Security Issues: 1 🔍 Quality Issues: 3 Resolved Issues: 0

🚀 New Features

  • Added pure-Python ip_matcher_fallback module and runtime pytricia warning.

⚡ Enhancements

  • Replaced internal matcher with pytricia-backed IPMatcher and preparse.

🔧 Refactors

  • Refactored callers to initialize IPMatcher with lists and freeze.

More info

@bitterpanda63
is_private_ip: Use IPMatcher
1c6d6f3
@bitterpanda63
use singleton structure
e968e77
@bitterpanda63
add benchmarking script
64d263e
@bitterpanda63
Install pytricia
d873fdf
@bitterpanda63
Merge remote-tracking branch 'origin/main' into test-with-pytricia
9ddede9
@bitterpanda63
Switch ip matcher up: use pytricia
09e98c6
@bitterpanda63
remove useless code in favor of pytricia
c4dfc10
@bitterpanda63
pytricia add support for ipv6
828d265
@bitterpanda63
linting
66eb7b2
@bitterpanda63
re-lock sample apps
eb5e75f
@bitterpanda63
Allow for a "freeze()" command to be run
b1e95a7
@bitterpanda63
update benchmark to freeze
fc2fb7a
@bitterpanda63
update is_private_ip to test frozen
4c89db1
@bitterpanda63
freeze should return IPMatcher
848fbdf
@bitterpanda63
imds: Use constructor instead
0d09bbb
@bitterpanda63
bypassed_ips: use constructor instead
64679b8
@bitterpanda63
is_private_ip use constructor
3cecdb2
@bitterpanda63
IPMatcher always freeze on init
3844902
@bitterpanda63
ip matcher benhcmakr update: is always frozen on init
27812b6
@bitterpanda63
remove .freeze() incompat
944fe15
@bitterpanda63
finally remove the freeze command from IPMatcher
f3e248e
@bitterpanda63
Add a preparse function to IPMatcher
4cfae74
@bitterpanda63
Fix thread_cache_test cases because add is now not working anymore
061ef75
@bitterpanda63
check ipv4 mapped ipv6
9244f8b
@bitterpanda63
Fix one test case in ip_matcher
dd2ad34
@bitterpanda63
change py version
7e31023
@bitterpanda63
Revert "change py version"
52e2d88 
This reverts commit 7e31023.
@bitterpanda63
Merge remote-tracking branch 'origin/main' into test-with-pytricia
1ef435a
@bitterpanda63
add ip_matcher_fallback back in
7f965f8
@bitterpanda63
install pytricia only if the platform is not windows, if the platform…
7443ef7 
… is windows use fallback
@bitterpanda63 bitterpanda63 changed the title IPMatcher: Switch node logic out in favour of pytricia Use pytricia for ip matching on non-windows machines Jan 14, 2026
bitterpanda63
bitterpanda63 commented Jan 14, 2026
View reviewed changes
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Jan 14, 2026
View reviewed changes
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Jan 14, 2026
View reviewed changes
aikido_zen/helpers/ip_matcher/__init__.py


def preparse(network: str) -> str:
# Remove the brackets around IPv6 addresses if they are there.
Copy link

@aikido-pr-checks aikido-pr-checks bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment on preparse merely restates the code. Either remove it or replace with why this normalization is needed (e.g., to canonicalize bracketed IPv6 and IPv4-mapped IPv6 inputs).

Details

✨ AI Reasoning
​A newly added comment adjacent to the preparse function only restates what the code does (removing square brackets). It doesn't explain why this normalization is required (e.g., to handle bracketed IPv6 input or IPv4-mapped IPv6 addresses in callers), so it provides low informational value and increases maintenance burden.

🔧 How do I fix it?
Write comments that explain the purpose, reasoning, or business logic behind the code using words like 'because', 'so that', or 'in order to'.

Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

timokoessler
timokoessler approved these changes Jan 15, 2026
View reviewed changes
timokoessler
timokoessler reviewed Jan 15, 2026
View reviewed changes
aikido_zen/helpers/ip_matcher_fallback/init_test.py

def test_with_ranges():
input_list = [
"192.168.0.0/24",
Copy link
Member

@timokoessler timokoessler Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe good to test with multiple overlapping ranges too?

Copy link
Member Author

@bitterpanda63 bitterpanda63 Jan 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these test cases are from node iirc? (also a bit out of scope, since this was existing code copied over)

hansott
hansott reviewed Jan 15, 2026
View reviewed changes
aikido_zen/helpers/ip_matcher_fallback/init_test.py
matcher = IPMatcher(input_list)
assert matcher.has("::ffff:0.0.0.0") == True
assert matcher.has("::ffff:127.0.0.1") == True
assert matcher.has("::ffff:123") == False
Copy link
Member

@hansott hansott Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so this case is different for both?

Copy link
Member Author

@bitterpanda63 bitterpanda63 Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, PyTricia is more accurate in this regard, this is also not a huge issue, and I think no one is running with windows in production. Given IPC also doesnt work

hansott
hansott reviewed Jan 15, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hansott hansott hansott left review comments

@timokoessler timokoessler timokoessler approved these changes

+1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bitterpanda63 @hansott @timokoessler