GHSA-rvp5-9p55-f5rp

### Summary

The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as `https://nocodb.example/#//attacker.com/phishing` silently redirected visitors to an attacker-controlled origin.

### Details

In `packages/nc-gui/plugins/hashRedirect.client.ts`, the plugin extracted the hash content and normalised it into `cleanUrl`:

```ts let cleanUrl = hashPath.startsWith('/') ? hashPath : `/${hashPath}` if (hashQuery) cleanUrl += `?${hashQuery}` window.location.replace(cleanUrl) ```

`startsWith('/')` returns true for `//attacker.com/...`, which browsers interpret as a protocol-relative absolute URL. No hostname check was performed before the redirect. The fix adds an early `if (/^\/[/\\]/.test(hashPath)) return` to reject protocol-relative paths.

### Impact

- Open redirect from any NocoDB origin to an attacker-controlled domain. - No authentication required; the attack lands the victim on an attacker-controlled page that may impersonate a NocoDB login.

### Credit

This issue was reported by [@fg0x0](https://github.com/fg0x0).