Open redirection with "X-Forwarded-Host" header injection

Link:          https://hackerone.com/reports/411914
By:            @8ayac

Details: Summary: I have discovered the possibility of Open redirection which threatens the user on so many functions.

Description: The exploitation is via "X-Forwarded-Host" header injection. Note: This issue is at all places where 302 redirect occurs.

Steps To Reproduce:

1. Sign in to GitLab.
2. Go to "http://{GitLab host}/projects/new"
3. Fill out "Project name" form with "poc".
4. Click "Create project" button.
5. Intercept the request.
6. Add X-Forwarded-Host: http://www.example.com to the request header.
7. Send the request.

Result: Redirected to www.example.com

Impact

An attacker could redirect users to his webpages for phishing attacks.

Note: This issue is at all places where 302 redirect occurs.

Timeline: 2018-09-21 17:45:08 +0000: @jritchey (user assigned to bug [team-only])