Skip to content

IPMatcher: Switch node logic out in favour of pytricia #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bitterpanda63 wants to merge 27 commits into
base: main
Choose a base branch
from
Open

IPMatcher: Switch node logic out in favour of pytricia #547

bitterpanda63 wants to merge 27 commits into from

Conversation

@bitterpanda63
Copy link
Member

@bitterpanda63 bitterpanda63 commented Dec 8, 2025

No description provided.

@bitterpanda63
is_private_ip: Use IPMatcher
1c6d6f3
@bitterpanda63
use singleton structure
e968e77
@bitterpanda63
add benchmarking script
64d263e
@bitterpanda63
Install pytricia
d873fdf
@bitterpanda63
Merge remote-tracking branch 'origin/main' into test-with-pytricia
9ddede9
@bitterpanda63
Switch ip matcher up: use pytricia
09e98c6
@bitterpanda63
remove useless code in favor of pytricia
c4dfc10
@bitterpanda63
pytricia add support for ipv6
828d265
@bitterpanda63
linting
66eb7b2
@bitterpanda63
re-lock sample apps
eb5e75f
@bitterpanda63
Allow for a "freeze()" command to be run
b1e95a7
@bitterpanda63
update benchmark to freeze
fc2fb7a
@bitterpanda63
update is_private_ip to test frozen
4c89db1
@bitterpanda63
freeze should return IPMatcher
848fbdf
@bitterpanda63
imds: Use constructor instead
0d09bbb
@bitterpanda63
bypassed_ips: use constructor instead
64679b8
@bitterpanda63
is_private_ip use constructor
3cecdb2
@bitterpanda63
IPMatcher always freeze on init
3844902
@bitterpanda63
ip matcher benhcmakr update: is always frozen on init
27812b6
@bitterpanda63
remove .freeze() incompat
944fe15
@bitterpanda63
finally remove the freeze command from IPMatcher
f3e248e
@bitterpanda63
Add a preparse function to IPMatcher
4cfae74
@bitterpanda63
Fix thread_cache_test cases because add is now not working anymore
061ef75
@bitterpanda63
check ipv4 mapped ipv6
9244f8b
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Dec 9, 2025
View reviewed changes
aikido_zen/helpers/ip_matcher/__init__.py
def _add(self, network):
try:
self.trie[preparse(network)] = True
except ValueError:
Copy link

@aikido-pr-checks aikido-pr-checks bot Dec 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The _add method swallows ValueError and SystemError exceptions (bypassing error handling) which can hide failures when adding networks.

Details

🔧 How do I fix it?
Remove debugging statements like console.log, debugger, dd(), or logic bypasses like || true. Keep legitimate logging for monitoring and error handling.

More info - Comment @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.

aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Dec 9, 2025
View reviewed changes
aikido_zen/helpers/ip_matcher/__init__.py
ip = ipaddress.IPv6Address(network)
if ip.ipv4_mapped:
return str(ip.ipv4_mapped)
except ValueError:
Copy link

@aikido-pr-checks aikido-pr-checks bot Dec 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty except ValueError in preparse silently swallows parsing errors for IPv6 addresses

Details

✨ AI Reasoning
​​1) preparse strips brackets and tries to parse IPv6; the except ValueError is used to ignore parse failures and continue.
​2) Silently swallowing ValueError without comment hides unexpected input errors and makes debugging harder.
​3) This was introduced in the PR (lines added here) and therefore worsens error handling by adding an empty catch.

🔧 How do I fix it?
Add proper error handling in catch blocks. Log the error, show user feedback, or rethrow if needed.

More info - Comment @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.

aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Dec 9, 2025
View reviewed changes
aikido_zen/helpers/ip_matcher/__init__.py

def preparse(network: str) -> str:
# Remove the brackets around IPv6 addresses if they are there.
network = network.strip("[]")
Copy link

@aikido-pr-checks aikido-pr-checks bot Dec 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Function parameter 'network' is reassigned with network = network.strip("[]") in preparse; reassigning input parameters reduces clarity.

Details

✨ AI Reasoning
​​1) The new function preparse(network) strips surrounding brackets and may convert IPv6 mapped addresses to IPv4; it reassigns the parameter 'network' via network = network.strip("[]").
​2) Reassigning the function parameter can obscure the original input value and make debugging or future changes harder to follow.
​3) This change was introduced in this diff (preparse was added) and thus constitutes a new instance of argument reassignment, so it violates the rule.

🔧 How do I fix it?
Create new local variables instead of reassigning parameters. Use different variable names to clearly distinguish between input and modified values.

More info - Comment @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bitterpanda63