URL redirect and ValidateIssuer CodeQL bugs

[advay26]

Addresses https://github.com/NuGet/Engineering/issues/4790
Part of https://github.com/NuGet/Engineering/issues/4593

This PR addresses 4 NuGetGallery CodeQL issues.

1. AuthenticationController.cs (2)
   • Problem: Untrusted URL redirection due to user-provided value. (Bug #1632796, Bug #1632797)
   • Solution: The redirect URLs used here are relative site URLs generated by us, and do not use any user-provided values. To avoid unwanted redirection, we now check that the returnUrl is a relative Url, and redirect to the 'Home' page if it isn't.
2. ValidateRecaptchaResponseAttribute.cs (1)
   • Problem: Potential server side request forgery due to a user-provided value flowing to a constructor or method from class
     System.Net.Http.HttpClient. (Bug #1632800)
   • Solution: The Recaptcha validation URL flagged here does not use any user-provided values either. These values are generated by client-side reCAPTCHA code. The mitigation here is that the validation Url is limited to a specific host, which should prevent unwanted redirection. Added a suppression comment.
3. AzureActiveDirectoryV2Authenticator.cs (1)
   • Problem: "The security sensitive property ValidateIssuer is being disabled by the followign value: false." We were disabling
     the ValidateIssuer flag in our AAD auth. When Issuer Validation is turned on, the issuer in the token is compared
     against a list of accepted tenants. (Bug #1632802)
   • Solution: We have a multi-tenant app, and do not restrict token issuers to a limited set of tenants, so we can keep this
     flag off. Added a suppression comment.