External url service is always treating relative path URLs without protocol and host name as external

[flash1293]

Kibana version: master

Describe the bug: As discussed in #114093 , the validateUrl method of the external url service is not correctly handling URLs which only consist out of a relative path (without leading slash) and optionally a hash.

Steps to reproduce:
See example here: #114093 (review)

• Set up policy in yml file
• Go to TSVB and define a drilldown url with the example defined here: https://www.elastic.co/guide/en/kibana/current/tsvb.html
• Click the link in the chart
• Modal about forbidden url is shown

Expected behavior:
User should be redirected

Any additional context:

The logic for checking whether a given URL is internal looks like this:

kibana/src/core/public/http/external_url_service.ts

Lines 62 to 64 in 4584a8b

	const isInternalURL =
	url.origin === base.origin &&
	(!serverBasePath || url.pathname.startsWith(`${serverBasePath}/`));

It's not accounting for the case of non-fully qualified URLs (no protocol and no host) which are not specifying the whole path (starting with a leading slash), but are relative to the current url (no leading slash):
Example (assuming the users current location is http://localhost:1234/mybasepath/app/visualizations#/edit/4344):

• http://localhost:1234/mybasepath/app/dashboards#/view/234345 recognized as internal
• /mybasepath/app/dashboards#/view/234345 recognized as internal
• dashboards#/view/234345 wrongly treated as external URL

I suggest to resolve this by fully qualifying the URL being passed to the validation function before doing internal/external checks using the resolve method of the url package: https://www.npmjs.com/package/url#urlresolvefrom-to

It behaves like the browser would if the URL is used as href for an anchor element (which is exactly what Vega and TSVB are doing)

It would be great if this bug could be fixed for 7.16 as external url policy support for Vega and TSVB just got introduced and might break URLs which are working in 7.15

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[lukeelmers]

@jportner Is security team planning to track this one, or should core be keeping an eye on it?

[jportner]

We spoke to @flash1293 offline, I think we agreed on a fix and he's going to submit a PR soon 👍 thanks for checking!