Add an LDAP injection plugin

[ericwb]

Is your feature request related to a problem? Please describe.
Similar to other injection checks, add an LDAP injection.

Describe the solution you'd like
Like the other plugins that scan for injection in SQL, shell, etc, we could use one that checks for LDAP search injection.

https://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet

Describe alternatives you've considered
n/a

Additional context
n/a

[spaceone]

I would like to see this as well!
filter = '(&(objectClass=person)(uid=%s)' % (username,) is vulnerable.
Instead ldap.filter.filter_format('(&(objectClass=person)(uid=%s)' , [username]) can be used to escape filters.

dn = 'uid=%s,cn=users,dc=base' % (username,) ist vulnerable. Instead 'uid=%s,cn=users,dc=base % (ldap.dn.escape_dn_chars(username),)` can be used to escape DN's.

[spaceone]

@ericwb or anyone else: would you review my implementation for ruff: see astral-sh/ruff#2811 (comment)

[ericwb]

@ericwb or anyone else: would you review my implementation for ruff: see astral-sh/ruff#2811 (comment)

In my opinion, I think the best way to handle (SQL, command, ssh, LDAP, etc) injection issues would be to make use of Taint Analysis. But to do so, requires Bandit to maintain a symbol table and possible a call flow graph.