Unvalidated `redirect_back` false negatives

[mattyb]

Background

Rails Version: 6.1.7.7 Brakeman Version: 6.1.2 Ruby Version: 3.1.5

Issue

Checks for redirect_back were added in #1756. Currently, calls to redirect_back without allow_other_hosts: true are allowed if fallback_location is specified. Setting fallback_location however does not prevent an attack via the Referer header. As documented here, fallback_location is only used if Referer is not set.

Note that in Rails >=7.0 this protection can also be handled via configuration https://guides.rubyonrails.org/configuring.html#config-action-controller-raise-on-open-redirects