From 023f5ae8e00f87d838263dbcf252d0cfe7a4f924 Mon Sep 17 00:00:00 2001
From: Joffrey JAFFEUX <j.jaffeux@gmail.com>
Date: Tue, 22 Jun 2021 17:19:13 +0200
Subject: [PATCH] SECURITY: prevents onebox to hang too long on connect
 (#13481)

---
 Gemfile.lock             | 12 ++++++------
 lib/final_destination.rb |  1 +
 lib/oneboxer.rb          |  3 ++-
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 0bae7f10fc..bd63c072eb 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -214,7 +214,7 @@ GEM
       rack (>= 1.1.3)
     method_source (1.0.0)
     mini_mime (1.1.0)
-    mini_portile2 (2.5.1)
+    mini_portile2 (2.5.3)
     mini_racer (0.4.0)
       libv8-node (~> 15.14.0.0)
     mini_scheduler (0.13.0)
@@ -232,14 +232,14 @@ GEM
     multipart-post (2.1.1)
     mustache (1.1.1)
     nio4r (2.5.7)
-    nokogiri (1.11.5)
+    nokogiri (1.11.7)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    nokogiri (1.11.5-arm64-darwin)
+    nokogiri (1.11.7-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.11.5-x86_64-darwin)
+    nokogiri (1.11.7-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.11.5-x86_64-linux)
+    nokogiri (1.11.7-x86_64-linux)
       racc (~> 1.4)
     nokogumbo (2.0.5)
       nokogiri (~> 1.8, >= 1.8.4)
@@ -273,7 +273,7 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
-    onebox (2.2.15)
+    onebox (2.2.16)
       addressable (~> 2.7.0)
       htmlentities (~> 4.3)
       multi_json (~> 1.11)
diff --git a/lib/final_destination.rb b/lib/final_destination.rb
index 348a44f429..2cc9b5c305 100644
--- a/lib/final_destination.rb
+++ b/lib/final_destination.rb
@@ -196,6 +196,7 @@ class FinalDestination
     response = Excon.public_send(@http_verb,
       @uri.to_s,
       read_timeout: timeout,
+      connect_timeout: timeout,
       headers: headers,
       middlewares: middlewares
     )
diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb
index 239f6b2c7f..8a2cc6cef7 100644
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -407,7 +407,8 @@ module Oneboxer
         ignore_hostnames: blocked_domains,
         force_get_hosts: force_get_hosts,
         force_custom_user_agent_hosts: force_custom_user_agent_hosts,
-        preserve_fragment_url_hosts: preserve_fragment_url_hosts
+        preserve_fragment_url_hosts: preserve_fragment_url_hosts,
+        timeout: 5
       }
 
       if strategy && Oneboxer.strategies[strategy][:force_get_host]