Mattermost: Reflected XSS in OAuth complete endpoints

Summary:

The following endpoints are vulnerable to reflected XSS:

GET /oauth/{service:[A-Za-z0-9]+}/complete
GET /api/v3/oauth/{service:[A-Za-z0-9]+}/complete
GET /signup/{service:[A-Za-z0-9]+}/complete
GET /login/{service:[A-Za-z0-9]+}/complete

The vulnerability exists due to the lack of sanitizing redirect_to field in state query param here.

Steps To Reproduce:

1. Setup local mattermost instance e.g. on address http://localhost:8065 (server guide, webapp guide)
2. Enable gitlab auth at Enable gitlab auth at http://localhost:8065/admin_console/authentication/gitlab. (There may be other ways to enable OAuth, this one seemed the easiest to me)
3. Open the following link: http://mattermost:8065/login/gitlab/complete?code=x&state=eyJhY3Rpb24iOiJtb2JpbGUiLCJyZWRpcmVjdF90byI6InRlc3RcIj48c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3NjcmlwdD4ifQ==. This link contains base64-encoded payload in state param: {"action":"mobile","redirect_to":"test\"><script>alert(document.domain)</script>"}
4. Get javascript alert with current domain.

Impact

An attacker can distribute a link in a chat with malicious javascript code. This code can send ajax requests on behalf of the user.