Skip to content

Skip wave-attack detection for bypassed requests#624

Open
bitterpanda63 wants to merge 2 commits intomainfrom
fix-wave-attack
Open

Skip wave-attack detection for bypassed requests#624
bitterpanda63 wants to merge 2 commits intomainfrom
fix-wave-attack

Conversation

@bitterpanda63
Copy link
Copy Markdown
Member

@bitterpanda63 bitterpanda63 commented Apr 16, 2026
edited by aikido-pr-checks bot
Loading

Summary

Two related fixes for the wave-attack detector:

  1. Defensive bypass check. `is_attack_wave` now returns False when `BypassedContextStore.is_bypassed()` is set. Callers should normally never reach here for bypassed requests (the framework entry point clears the context), but this keeps wave detection consistent with all other per-request blocking sites.

  2. Regression test for sample collection. 16 requests with distinct query strings should produce 15 unique samples — but `context.url` previously stripped the query string, collapsing them all into 1 sample. Test added to lock in the post-fix behavior.

Tests fixed in QA suite

Dependencies

This PR's QA gate passes only after both dependencies merge:

The detector code change here is independent of either, but the QA test re-enable will fail until both land.

Test plan

  • New unit test: 16 unique-query-string requests produce 15 distinct samples.
  • New unit test: bypass flag set → `is_attack_wave` returns False and never collects samples.
  • Full unit suite passes locally.
  • QA suite: verify `test_wave_attack` passes once both deps merge.

Merge notes

  • Includes `aikido_zen/storage/bypassed_context_store.py` and its test (identical to the file in Skip context creation for bypassed IPs #623). When both merge, the file content is the same — git will report no conflict.
  • Conflicts with the `skip_tests:` line in `.github/workflows/qa-tests.yml` are expected — resolve by keeping the union of removals.

🤖 Generated with Claude Code

Summary by Aikido

Security Issues: 0 Quality Issues: 0 Resolved Issues: 0

🚀 New Features

  • Added bypassed_context_store to record per-request bypass status using contextvars

⚡ Enhancements

  • Preserved URL query strings for ASGI and WSGI request builders
  • Removed wave_attack and path_traversal from QA skip list

🐛 Bugfixes

  • Skipped wave-attack detection for bypassed requests and prevented sample collection

More info

@bitterpanda63
Include query string in URL for ASGI/WSGI requests
30bc365 
The request URL captured for attack events was missing the query string,
causing path-traversal events (and other query-driven attacks) to lose
the malicious payload from their reported URL.

Re-enables test_path_traversal in the QA suite.
@bitterpanda63
Skip wave-attack detection for bypassed requests
bc8b579 
Adds a defensive bypass-flag check inside is_attack_wave so that wave
detection consistently honours the BypassedContextStore signal even if a
caller forgot to skip post_response for a bypassed request.

Also adds two regression tests:
- 16 requests with distinct query strings produce 15 unique samples
  (previously collapsed to 1 sample because URL stripped the query string).
- Bypassed flag set: is_attack_wave returns False and never collects samples.

Re-enables test_wave_attack in the QA suite. The QA test relies on:
- The BypassedContextStore wiring from "Skip context creation for bypassed IPs".
- The query-string preservation from "Include query string in URL for ASGI/WSGI requests".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bitterpanda63