client/web: keep redirects on-site (#10525)

Ensure we don't create Location: header URLs that have leading //, which is a
schema-less reference to arbitrary 3rd-party sites. That is, //example.com/foo
redirects off-site, while /example.com/foo is an on-site path URL.

Fixes tailscale/corp#16268

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>

client/web/web_test.go

@@ -939,6 +939,49 @@ func TestServeAPIAuthMetricLogging(t *testing.T) {
 	}
 }
 
+func TestNoOffSiteRedirect(t *testing.T) {
+	options := ServerOpts{
+		Mode: LoginServerMode,
+		// Emulate the admin using a --prefix option with leading slashes:
+		PathPrefix: "//evil.example.com/goat",
+		CGIMode:    true,
+	}
+	s, err := NewServer(options)
+	if err != nil {
+		t.Error(err)
+	}
+
+	tests := []struct {
+		name         string
+		target       string
+		wantHandled  bool
+		wantLocation string
+	}{
+		{
+			name:   "2-slashes",
+			target: "http://localhost//evil.example.com/goat",
+			// We must also get the trailing slash added:
+			wantLocation: "/evil.example.com/goat/",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s.logf = t.Logf
+			r := httptest.NewRequest(httpm.GET, tt.target, nil)
+			w := httptest.NewRecorder()
+			s.ServeHTTP(w, r)
+			res := w.Result()
+			defer res.Body.Close()
+
+			location := w.Header().Get("Location")
+			if location != tt.wantLocation {
+				t.Errorf("request(%q) got wrong location; want=%q, got=%q", tt.target, tt.wantLocation, location)
+			}
+		})
+	}
+}
+
 func TestRequireTailscaleIP(t *testing.T) {
 	self := &ipnstate.PeerStatus{
 		TailscaleIPs: []netip.Addr{
@@ -1007,7 +1050,7 @@ func TestRequireTailscaleIP(t *testing.T) {
 	}
 
 	for _, tt := range tests {
-		t.Run(tt.target, func(t *testing.T) {
+		t.Run(tt.name, func(t *testing.T) {
 			s.logf = t.Logf
 			r := httptest.NewRequest(httpm.GET, tt.target, nil)
 			w := httptest.NewRecorder()