new capacity bits (#67)

tests/fixtures/ldap_injection/python/baseline_constant_ldap.py

@@ -0,0 +1,10 @@
+# Baseline: filter is a compile-time constant.  No taint reaches `search_s` so
+# no LDAP_INJECTION finding fires.
+import ldap
+
+
+def lookup():
+    conn = ldap.initialize("ldap://example.com")
+    return conn.search_s(
+        "ou=people,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=person)"
+    )

tests/fixtures/ldap_injection/python/safe_ldap_search.py

@@ -0,0 +1,14 @@
+# Safe: user-supplied substring run through `escape_filter_chars` (RFC 4515)
+# before being concatenated into the filter.  The sanitizer clears the
+# LDAP_INJECTION cap so the sink does not fire.
+import ldap
+from ldap.filter import escape_filter_chars
+from flask import request
+
+
+def lookup():
+    conn = ldap.initialize("ldap://example.com")
+    user = request.form["user"]
+    safe = escape_filter_chars(user)
+    flt = "(uid=" + safe + ")"
+    return conn.search_s("ou=people,dc=example,dc=com", ldap.SCOPE_SUBTREE, flt)

tests/fixtures/ldap_injection/python/unsafe_ldap_search.py

@@ -0,0 +1,13 @@
+# Unsafe: tainted form data concatenated into an LDAP filter and passed to
+# python-ldap's `search_s`.  The bound receiver `conn` is typed as LdapClient
+# via `ldap.initialize`, and the suffix matcher on `search_s` also catches the
+# call directly.
+import ldap
+from flask import request
+
+
+def lookup():
+    conn = ldap.initialize("ldap://example.com")
+    user = request.form["user"]
+    flt = "(uid=" + user + ")"
+    return conn.search_s("ou=people,dc=example,dc=com", ldap.SCOPE_SUBTREE, flt)