Bug report
Describe the bug
java.net.InetAddress.getAllByName(String) instrumentation appears to report literal IP address parsing as outbound network activity.
We use firewall-java/Zen in production and see inbound client IP addresses reported as outbound connections. The likely cause is that Zen wraps InetAddress.getAllByName, but this JDK API is also used indirectly for parsing literal IP strings, not only for DNS lookup or outbound requests.
In our case, Spring Security's IpAddressMatcher is used by an inbound role/IP filter. It parses configured CIDR/IP values and inbound request IPs via InetAddress.getByName(...). The JDK implementation delegates getByName(...) to getAllByName(...)[0], so Zen sees these calls even though no outbound connection is being made.
To Reproduce
Steps to reproduce the behavior:
- Run a Java application with the firewall-java/Zen javaagent enabled.
- Execute code that parses a literal IP address, for example:
InetAddress.getByName("203.0.113.42");new IpAddressMatcher("203.0.113.0/24").matches("203.0.113.42");
- Inspect outbound connection / hostname telemetry in Aikido.
Expected behavior
Literal IP parsing should not be reported as an outbound connection.
A standalone InetAddress.getAllByName(...) / InetAddress.getByName(...) call with a literal IP address and no pending HTTP URL/request context should either be ignored for outbound telemetry or classified separately from outbound HTTP activity.
Real outbound requests, including requests to private or link-local IPs, should still be detected and protected.
Actual behavior
Literal IP addresses that are parsed for inbound access-control checks appear as outbound connection entries.
From the current firewall-java code, DNSRecordCollector.report(...) registers every java.net.InetAddress.getAllByName call as OperationKind.OUTGOING_HTTP_OP. If there is no pending hostname/port from URLCollector, it still records a hostname hit with port 0, which makes IP parsing look like outbound activity.
Environment
- OS: Linux in production
- Language version: Java 25
- Framework: Spring MVC / Spring Boot 3.5.x, Spring Security 6.5.x
- Environment: production
- Aikido Package version: please fill in exact version
Additional context
Relevant source paths:
agent/src/main/java/dev/aikido/agent/wrappers/InetAddressWrapper.javaagent_api/src/main/java/dev/aikido/agent_api/collectors/DNSRecordCollector.javaagent_api/src/main/java/dev/aikido/agent_api/collectors/URLCollector.java
Possible fix direction:
- If
PendingHostnamesStore.getAndRemove(hostname) returns no ports and hostname is a literal IPv4/IPv6 address, skip recording it as outbound telemetry.
- Or classify standalone DNS/address-resolution events separately from
OUTGOING_HTTP_OP.
- Keep the current behavior when a pending URL/port exists, so real outbound HTTP requests are still protected.
Bug report
Describe the bug
java.net.InetAddress.getAllByName(String)instrumentation appears to report literal IP address parsing as outbound network activity.We use firewall-java/Zen in production and see inbound client IP addresses reported as outbound connections. The likely cause is that Zen wraps
InetAddress.getAllByName, but this JDK API is also used indirectly for parsing literal IP strings, not only for DNS lookup or outbound requests.In our case, Spring Security's
IpAddressMatcheris used by an inbound role/IP filter. It parses configured CIDR/IP values and inbound request IPs viaInetAddress.getByName(...). The JDK implementation delegatesgetByName(...)togetAllByName(...)[0], so Zen sees these calls even though no outbound connection is being made.To Reproduce
Steps to reproduce the behavior:
Expected behavior
Literal IP parsing should not be reported as an outbound connection.
A standalone
InetAddress.getAllByName(...)/InetAddress.getByName(...)call with a literal IP address and no pending HTTP URL/request context should either be ignored for outbound telemetry or classified separately from outbound HTTP activity.Real outbound requests, including requests to private or link-local IPs, should still be detected and protected.
Actual behavior
Literal IP addresses that are parsed for inbound access-control checks appear as outbound connection entries.
From the current firewall-java code,
DNSRecordCollector.report(...)registers everyjava.net.InetAddress.getAllByNamecall asOperationKind.OUTGOING_HTTP_OP. If there is no pending hostname/port fromURLCollector, it still records a hostname hit with port0, which makes IP parsing look like outbound activity.Environment
Additional context
Relevant source paths:
agent/src/main/java/dev/aikido/agent/wrappers/InetAddressWrapper.javaagent_api/src/main/java/dev/aikido/agent_api/collectors/DNSRecordCollector.javaagent_api/src/main/java/dev/aikido/agent_api/collectors/URLCollector.javaPossible fix direction:
PendingHostnamesStore.getAndRemove(hostname)returns no ports andhostnameis a literal IPv4/IPv6 address, skip recording it as outbound telemetry.OUTGOING_HTTP_OP.