new capacity bits (#67)

tests/fixtures/ldap_injection/javascript/baseline_constant_ldap.js

@@ -0,0 +1,11 @@
+// Baseline: filter is a literal constant; no taint reaches the search call.
+const ldap = require('ldapjs');
+
+const client = ldap.createClient({ url: 'ldap://example.com' });
+
+function lookup(_req, res) {
+    const filter = '(objectClass=person)';
+    client.search('ou=people,dc=example,dc=com', { filter: filter }, (err) => { res.json({ ok: !err }); });
+}
+
+module.exports = lookup;

tests/fixtures/ldap_injection/javascript/safe_ldap_search.js

@@ -0,0 +1,16 @@
+// Safe: ldap-escape's `filter` helper escapes the user-controlled substring
+// before it lands in the filter expression.  Mirrors the unsafe sibling's
+// bound-variable shape so only the sanitiser introduction differs.
+const ldap = require('ldapjs');
+const ldapEscape = require('ldap-escape');
+
+const client = ldap.createClient({ url: 'ldap://example.com' });
+
+function lookup(req, res) {
+    const user = req.query.user;
+    const safe = ldapEscape(user);
+    const filter = '(uid=' + safe + ')';
+    client.search('ou=people,dc=example,dc=com', { filter: filter }, (err) => { res.json({ ok: !err }); });
+}
+
+module.exports = lookup;

tests/fixtures/ldap_injection/javascript/unsafe_ldap_search.js

@@ -0,0 +1,16 @@
+// Unsafe: ldapjs `client.search` receives a filter assembled from req.query.
+// Bound-variable idiom: the closure-captured `client` carries
+// `TypeKind::LdapClient` (forwarded from the top-level body to the function
+// body by `taint::inject_external_type_facts`), so type-qualified receiver
+// resolution rewrites `client.search` → `LdapClient.search`.
+const ldap = require('ldapjs');
+
+const client = ldap.createClient({ url: 'ldap://example.com' });
+
+function lookup(req, res) {
+    const user = req.query.user;
+    const filter = '(uid=' + user + ')';
+    client.search('ou=people,dc=example,dc=com', { filter: filter }, (err) => { res.json({ ok: !err }); });
+}
+
+module.exports = lookup;