SECURITY: prevents onebox to hang too long on connect (#13481)

Gemfile.lock

@@ -214,7 +214,7 @@ GEM
       rack (>= 1.1.3)
     method_source (1.0.0)
     mini_mime (1.1.0)
-    mini_portile2 (2.5.1)
+    mini_portile2 (2.5.3)
     mini_racer (0.4.0)
       libv8-node (~> 15.14.0.0)
     mini_scheduler (0.13.0)
@@ -232,14 +232,14 @@ GEM
     multipart-post (2.1.1)
     mustache (1.1.1)
     nio4r (2.5.7)
-    nokogiri (1.11.5)
+    nokogiri (1.11.7)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    nokogiri (1.11.5-arm64-darwin)
+    nokogiri (1.11.7-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.11.5-x86_64-darwin)
+    nokogiri (1.11.7-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.11.5-x86_64-linux)
+    nokogiri (1.11.7-x86_64-linux)
       racc (~> 1.4)
     nokogumbo (2.0.5)
       nokogiri (~> 1.8, >= 1.8.4)
@@ -273,7 +273,7 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
-    onebox (2.2.15)
+    onebox (2.2.16)
       addressable (~> 2.7.0)
       htmlentities (~> 4.3)
       multi_json (~> 1.11)

lib/final_destination.rb

@@ -196,6 +196,7 @@ class FinalDestination
     response = Excon.public_send(@http_verb,
       @uri.to_s,
       read_timeout: timeout,
+      connect_timeout: timeout,
       headers: headers,
       middlewares: middlewares
     )

lib/oneboxer.rb

@@ -407,7 +407,8 @@ module Oneboxer
         ignore_hostnames: blocked_domains,
         force_get_hosts: force_get_hosts,
         force_custom_user_agent_hosts: force_custom_user_agent_hosts,
-        preserve_fragment_url_hosts: preserve_fragment_url_hosts
+        preserve_fragment_url_hosts: preserve_fragment_url_hosts,
+        timeout: 5
       }
 
       if strategy && Oneboxer.strategies[strategy][:force_get_host]