Merge branch 'patch-turbolinks' into 'security'

Updated Turbolinks to patched version of turbolinks-classic

See merge request !2048

4 files changed, 57 insertions, 9 deletions

diff --git a/Gemfile b/Gemfile
index 837bd5a3185..c5c51cfdff7 100644
--- a/Gemfile
+++ b/Gemfile
@@ -214,8 +214,7 @@ gem 'chronic_duration', '~> 0.10.6'
 gem 'sass-rails', '~> 5.0.6'
 gem 'coffee-rails', '~> 4.1.0'
 gem 'uglifier', '~> 2.7.2'
-gem 'turbolinks', '~> 2.5.0'
-gem 'jquery-turbolinks', '~> 2.1.0'
+gem 'gitlab-turbolinks-classic', '~> 2.5', '>= 2.5.6'
 
 gem 'addressable',        '~> 2.3.8'
 gem 'bootstrap-sass',     '~> 3.3.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 4c610f42e78..0c052835df1 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -283,6 +283,8 @@ GEM
       mime-types (>= 1.16, < 3)
       posix-spawn (~> 0.3)
     gitlab-markup (1.5.1)
+    gitlab-turbolinks-classic (2.5.6)
+      coffee-rails
     gitlab_git (10.7.0)
       activesupport (~> 4.0)
       charlock_holmes (~> 0.7.3)
@@ -361,9 +363,6 @@ GEM
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
-    jquery-turbolinks (2.1.0)
-      railties (>= 3.1.0)
-      turbolinks
     jquery-ui-rails (5.0.5)
       railties (>= 3.2.16)
     json (1.8.3)
@@ -751,8 +750,6 @@ GEM
     truncato (0.7.8)
       htmlentities (~> 4.3.1)
       nokogiri (~> 1.6.1)
-    turbolinks (2.5.3)
-      coffee-rails
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
     u2f (0.2.1)
@@ -867,6 +864,7 @@ DEPENDENCIES
   github-linguist (~> 4.7.0)
   gitlab-flowdock-git-hook (~> 1.0.1)
   gitlab-markup (~> 1.5.1)
+  gitlab-turbolinks-classic (~> 2.5, >= 2.5.6)
   gitlab_git (~> 10.7.0)
   gitlab_omniauth-ldap (~> 1.2.1)
   gollum-lib (~> 4.2)
@@ -883,7 +881,6 @@ DEPENDENCIES
   influxdb (~> 0.2)
   jquery-atwho-rails (~> 1.3.2)
   jquery-rails (~> 4.1.0)
-  jquery-turbolinks (~> 2.1.0)
   jquery-ui-rails (~> 5.0.0)
   json-schema (~> 2.6.2)
   jwt
@@ -979,7 +976,6 @@ DEPENDENCIES
   thin (~> 1.7.0)
   timecop (~> 0.8.0)
   truncato (~> 0.7.8)
-  turbolinks (~> 2.5.0)
   u2f (~> 0.2.1)
   uglifier (~> 2.7.2)
   underscore-rails (~> 1.8.0)
diff --git a/changelogs/unreleased/patch-turbolinks.yml b/changelogs/unreleased/patch-turbolinks.yml
new file mode 100644
index 00000000000..79c62e9c1d5
--- /dev/null
+++ b/changelogs/unreleased/patch-turbolinks.yml
@@ -0,0 +1,4 @@
+---
+title: Updated Turbolinks to mitigate potential XSS attacks
+merge_request:
+author:
diff --git a/vendor/assets/javascripts/jquery.turbolinks.js b/vendor/assets/javascripts/jquery.turbolinks.js
new file mode 100644
index 00000000000..fd6e95e75d5
--- /dev/null
+++ b/vendor/assets/javascripts/jquery.turbolinks.js
@@ -0,0 +1,49 @@
+// Generated by CoffeeScript 1.7.1
+
+/*
+jQuery.Turbolinks ~ https://github.com/kossnocorp/jquery.turbolinks
+jQuery plugin for drop-in fix binded events problem caused by Turbolinks
+
+The MIT License
+Copyright (c) 2012-2013 Sasha Koss & Rico Sta. Cruz
+ */
+
+(function() {
+  var $, $document;
+
+  $ = window.jQuery || (typeof require === "function" ? require('jquery') : void 0);
+
+  $document = $(document);
+
+  $.turbo = {
+    version: '2.1.0',
+    isReady: false,
+    use: function(load, fetch) {
+      return $document.off('.turbo').on("" + load + ".turbo", this.onLoad).on("" + fetch + ".turbo", this.onFetch);
+    },
+    addCallback: function(callback) {
+      if ($.turbo.isReady) {
+        callback($);
+      }
+      return $document.on('turbo:ready', function() {
+        return callback($);
+      });
+    },
+    onLoad: function() {
+      $.turbo.isReady = true;
+      return $document.trigger('turbo:ready');
+    },
+    onFetch: function() {
+      return $.turbo.isReady = false;
+    },
+    register: function() {
+      $(this.onLoad);
+      return $.fn.ready = this.addCallback;
+    }
+  };
+
+  $.turbo.register();
+
+  $.turbo.use('page:load', 'page:fetch');
+
+}).call(this);