Merge branch 'security-fix-leaking-private-project-namespace' into 'master'

[master] Fix leaking private project namespace

Closes #2708

See merge request gitlab/gitlabhq!2529

2 files changed, 8 insertions, 1 deletions

diff --git a/lib/banzai/object_renderer.rb b/lib/banzai/object_renderer.rb
index a176f1e261b..7137c1da57d 100644
--- a/lib/banzai/object_renderer.rb
+++ b/lib/banzai/object_renderer.rb
@@ -38,6 +38,7 @@ module Banzai
         redacted_data = redacted[index]
         object.__send__("redacted_#{attribute}_html=", redacted_data[:document].to_html(save_options).html_safe) # rubocop:disable GitlabSecurity/PublicSend
         object.user_visible_reference_count = redacted_data[:visible_reference_count] if object.respond_to?(:user_visible_reference_count)
+        object.total_reference_count = redacted_data[:total_reference_count] if object.respond_to?(:total_reference_count)
       end
     end
 
diff --git a/lib/banzai/redactor.rb b/lib/banzai/redactor.rb
index 28928d6f376..e77bee78496 100644
--- a/lib/banzai/redactor.rb
+++ b/lib/banzai/redactor.rb
@@ -37,7 +37,13 @@ module Banzai
 
       all_document_nodes.each do |entry|
         nodes_for_document = entry[:nodes]
-        doc_data = { document: entry[:document], visible_reference_count: nodes_for_document.count }
+
+        doc_data = {
+          document:                entry[:document],
+          total_reference_count:   nodes_for_document.count,
+          visible_reference_count: nodes_for_document.count
+        }
+
         metadata << doc_data
 
         nodes_for_document.each do |node|