To limit the risk of LDAP Query injection attacks by misusing the Username, the Username should be escaped probably.
Added Test 22 to cover this case.
Test-Output
1..24
ok 1 - proper user with proper pass
ok 2 - proper user with incorrect pass
ok 3 - similar user with user1 pass
ok 4 - random user with random pass
ok 5 - user2 with proper pass
ok 6 - user3 with proper pass
ok 7 - empty user no password
ok 8 - no auth header
ok 9 - proper user with proper pass cookie
ok 10 - proper user with incorrect pass cookie
ok 11 - random user with random pass cookie
ok 12 - user2 with proper pass cookie
ok 13 - user3 with proper pass cookie
ok 14 - user3 with proper pass broken base64
ok 15 - user3 with proper pass broken cookie
ok 16 - proper user with proper pass with ssl
ok 17 - proper user with proper pass with starttls
ok 18 - dn must be set
ok 19 - url must be set
ok 20 - server2 user via referral on server1
ok 21 - unknown user with referral on server1
ok 22 - Injection Attempt in Username will be escaped and blocked.
ok 23 - no alerts
ok 24 - no sanitizer errors
Coverage report: docker cp <cid>:/tmp/nginx-test-oTIlkztVYF/htmlcov <hostdir>
To limit the risk of LDAP Query injection attacks by misusing the Username, the Username should be escaped probably.
Added Test 22 to cover this case.
Test-Output