Arbitrary protocol redirection
Summary
GitLab pages can be used to redirect to arbitrary protocols in the authentication flow.
Steps to reproduce
Consider the following URL:
https://projects.gitlab.io/auth?domain=mailto://gitlab-com.gitlab.io?body=OMGWTF&state=aaa
It will, after the login redirect to gitlab.com
redirect the user to their mail client.
This might be potentially used e.g. on mobile devices to exfiltrate authentication token via custom URL handler.
Example Project
What is the current bug behavior?
Redirect to arbitrary protocols is possible.
What is the expected correct behavior?
Redirect should only be possible to https
or http
URLs.