Use pytricia for ip matching on non-windows machines by bitterpanda63 · Pull Request #547 · AikidoSec/firewall-python

bitterpanda63 · 2025-12-08T18:36:28Z

Summary by Aikido

⚠️ Security Issues: 1	🔍 Quality Issues: 4	Resolved Issues: 0

🚀 New Features

Introduced pure-Python ip_matcher_fallback implementation and modules

⚡ Enhancements

Enabled optional pytricia usage with preparse and warning message

🔧 Refactors

Refactored callers to pass network lists to IPMatcher constructor

^{More info}

aikido_zen/helpers/ip_matcher/__init__.py

benchmarks/ip_matcher_benchmark/ip_matcher_benchmark.py

timokoessler · 2026-01-15T08:22:49Z

aikido_zen/helpers/ip_matcher_fallback/init_test.py

+
+def test_with_ranges():
+    input_list = [
+        "192.168.0.0/24",


Maybe good to test with multiple overlapping ranges too?

these test cases are from node iirc? (also a bit out of scope, since this was existing code copied over)

hansott · 2026-01-15T09:20:38Z

aikido_zen/helpers/ip_matcher_fallback/init_test.py

+    matcher = IPMatcher(input_list)
+    assert matcher.has("::ffff:0.0.0.0") == True
+    assert matcher.has("::ffff:127.0.0.1") == True
+    assert matcher.has("::ffff:123") == False


so this case is different for both?

yes, PyTricia is more accurate in this regard, this is also not a huge issue, and I think no one is running with windows in production. Given IPC also doesnt work

benchmarks/ip_matcher_benchmark/ip_matcher_benchmark.py

aikido_zen/helpers/ip_matcher/__init__.py

This reverts commit 7e31023.

… is windows use fallback

This reverts commit d032fdd.

aikido_zen/helpers/net/is_private_ip.py

aikido_zen/vulnerabilities/ssrf/imds.py

remove ipv4-mapped ipv6 addresses being added manually in imds.py

aikido-pr-checks · 2026-02-05T16:58:30Z

aikido_zen/vulnerabilities/ssrf/imds.py

-# Block the IP address used by Alibaba Cloud
-imds_addresses.add("100.100.100.200")
-imds_addresses.add(map_ipv4_to_ipv6("100.100.100.200"))
+imds_addresses = IPMatcher(


imds_addresses is a module-level IPMatcher initialized at import; it will persist across requests and may unintentionally cache data between requests. Consider making it request-scoped or explicitly documenting intended shared cache.

Details

✨ AI Reasoning
A module-level variable is being initialized during import and stored for the process lifetime. This can unintentionally cache request- or environment-specific data between requests/workers, causing cross-request leakage or stale data. The change replaces the prior empty-initialization line with a populated IPMatcher created at module import, increasing the chance that runtime state is shared across requests.

🔧 How do I fix it?
Avoid storing request-specific data in module-level variables. Use request-scoped variables or explicitly mark shared caches as intentional.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.}
_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
_{More info}

bitterpanda63 changed the title ~~IPMatcher: Switch node logic out in favour of pytricia~~ Use pytricia for ip matching on non-windows machines Jan 14, 2026

bitterpanda63 commented Jan 14, 2026

View reviewed changes

aikido_zen/helpers/ip_matcher/__init__.py Outdated Show resolved Hide resolved

aikido-pr-checks bot reviewed Jan 14, 2026

View reviewed changes

aikido_zen/helpers/ip_matcher/__init__.py Show resolved Hide resolved

timokoessler approved these changes Jan 15, 2026

View reviewed changes

aikido_zen/helpers/ip_matcher/__init__.py Outdated Show resolved Hide resolved

benchmarks/ip_matcher_benchmark/ip_matcher_benchmark.py Show resolved Hide resolved

timokoessler reviewed Jan 15, 2026

View reviewed changes

hansott reviewed Jan 15, 2026

View reviewed changes

benchmarks/ip_matcher_benchmark/ip_matcher_benchmark.py Show resolved Hide resolved

hansott reviewed Jan 15, 2026

View reviewed changes

benchmarks/ip_matcher_benchmark/ip_matcher_benchmark.py Show resolved Hide resolved

hansott reviewed Jan 15, 2026

View reviewed changes

aikido_zen/helpers/ip_matcher/__init__.py Show resolved Hide resolved

hansott approved these changes Feb 5, 2026

View reviewed changes

bitterpanda63 added 20 commits February 5, 2026 13:36

is_private_ip: Use IPMatcher

5724432

use singleton structure

6702883

add benchmarking script

3901f87

Install pytricia

1176b48

Switch ip matcher up: use pytricia

a8e2713

remove useless code in favor of pytricia

9022d86

pytricia add support for ipv6

e74e49a

linting

1070aa0

re-lock sample apps

e2b38c9

Allow for a "freeze()" command to be run

c94a60c

update benchmark to freeze

42d84c2

update is_private_ip to test frozen

5290817

freeze should return IPMatcher

6f7ed36

imds: Use constructor instead

52f9261

bypassed_ips: use constructor instead

857c89c

is_private_ip use constructor

7ff8990

IPMatcher always freeze on init

750fcb1

ip matcher benhcmakr update: is always frozen on init

92658ca

remove .freeze() incompat

a5b4216

finally remove the freeze command from IPMatcher

3469410

bitterpanda63 added 17 commits February 5, 2026 13:36

Fix one test case in ip_matcher

5944920

change py version

0474f04

Revert "change py version"

18535ab

This reverts commit 7e31023.

add ip_matcher_fallback back in

dc9988f

install pytricia only if the platform is not windows, if the platform…

c17f6ec

… is windows use fallback

re-lock

245723c

Update comment explaining why we have the fallback

3fcd7b4

also put app start in the re-try github action

a258f30

add the removed test cases back in

8d117fb

Don't run poetry install quietly

b2380ec

install: ignore failures

8be88b0

Revert "also put app start in the re-try github action"

c524a59

This reverts commit d032fdd.

Update aikido_zen/helpers/ip_matcher/__init__.py

d3ec3b6

add comment explaining SystemError

7ae85e9

update fallback comment to be clearer

178be55

Test an edge case

4910099

test edge case again

21b30a7

bitterpanda63 force-pushed the test-with-pytricia branch from bde96b9 to 21b30a7 Compare February 5, 2026 12:36

bitterpanda63 commented Feb 5, 2026

View reviewed changes

aikido_zen/helpers/net/is_private_ip.py Outdated Show resolved Hide resolved

Update aikido_zen/helpers/net/is_private_ip.py

a52255f

bitterpanda63 commented Feb 5, 2026

View reviewed changes

aikido_zen/helpers/net/is_private_ip.py Outdated Show resolved Hide resolved

Update aikido_zen/helpers/net/is_private_ip.py

7a4e26d

bitterpanda63 commented Feb 5, 2026

View reviewed changes

aikido_zen/vulnerabilities/ssrf/imds.py Outdated Show resolved Hide resolved

bitterpanda63 commented Feb 5, 2026

View reviewed changes

aikido_zen/vulnerabilities/ssrf/imds.py Outdated Show resolved Hide resolved

bitterpanda63 added 3 commits February 5, 2026 13:40

Apply suggestions from code review

2f83c3e

remove ipv4-mapped ipv6 addresses being added manually in imds.py

re-lock newer sample app django-asgi-uvicorn

42bed16

Fix linting errors: remove unused imports

1dd6792

aikido-pr-checks bot reviewed Feb 5, 2026

View reviewed changes

bitterpanda63 merged commit d2b2c95 into main Feb 6, 2026
84 checks passed

bitterpanda63 deleted the test-with-pytricia branch February 6, 2026 12:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use pytricia for ip matching on non-windows machines#547

Use pytricia for ip matching on non-windows machines#547
bitterpanda63 merged 45 commits intomainfrom
test-with-pytricia

bitterpanda63 commented Dec 8, 2025 •

edited by aikido-pr-checks bot

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

timokoessler Jan 15, 2026

Uh oh!

bitterpanda63 Jan 15, 2026 •

edited

Loading

Uh oh!

hansott Jan 15, 2026

Uh oh!

bitterpanda63 Jan 15, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

aikido-pr-checks bot Feb 5, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

bitterpanda63 commented Dec 8, 2025 • edited by aikido-pr-checks bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by Aikido

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

timokoessler Jan 15, 2026

Choose a reason for hiding this comment

Uh oh!

bitterpanda63 Jan 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

hansott Jan 15, 2026

Choose a reason for hiding this comment

Uh oh!

bitterpanda63 Jan 15, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

aikido-pr-checks bot Feb 5, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

bitterpanda63 commented Dec 8, 2025 •

edited by aikido-pr-checks bot

Loading

bitterpanda63 Jan 15, 2026 •

edited

Loading