From ce1abdf27361829675b3f3f23b70e0d642fa3caa Mon Sep 17 00:00:00 2001
From: Joffrey JAFFEUX <j.jaffeux@gmail.com>
Date: Mon, 21 Jun 2021 17:34:01 +0200
Subject: [PATCH] SECURITY: ensures timeouts are correctly used on connect
 (#13455)

---
 lib/final_destination.rb | 1 +
 lib/onebox/helpers.rb    | 6 ++----
 lib/oneboxer.rb          | 3 ++-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/final_destination.rb b/lib/final_destination.rb
index 348a44f429..2cc9b5c305 100644
--- a/lib/final_destination.rb
+++ b/lib/final_destination.rb
@@ -196,6 +196,7 @@ class FinalDestination
     response = Excon.public_send(@http_verb,
       @uri.to_s,
       read_timeout: timeout,
+      connect_timeout: timeout,
       headers: headers,
       middlewares: middlewares
     )
diff --git a/lib/onebox/helpers.rb b/lib/onebox/helpers.rb
index a3df3f2a04..6b8f4d3f25 100644
--- a/lib/onebox/helpers.rb
+++ b/lib/onebox/helpers.rb
@@ -63,8 +63,7 @@ module Onebox
       end
 
       result = StringIO.new
-      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.normalized_scheme == 'https') do |http|
-        http.open_timeout = Onebox.options.connect_timeout
+      Net::HTTP.start(uri.host, uri.port, open_timeout: Onebox.options.connect_timeout, use_ssl: uri.normalized_scheme == 'https') do |http|
         http.read_timeout = Onebox.options.timeout
         http.verify_mode = OpenSSL::SSL::VERIFY_NONE  # Work around path building bugs
 
@@ -118,8 +117,7 @@ module Onebox
     def self.fetch_content_length(location)
       uri = URI(location)
 
-      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.is_a?(URI::HTTPS)) do |http|
-        http.open_timeout = Onebox.options.connect_timeout
+      Net::HTTP.start(uri.host, uri.port, open_timeout: Onebox.options.connect_timeout, use_ssl: uri.is_a?(URI::HTTPS)) do |http|
         http.read_timeout = Onebox.options.timeout
         if uri.is_a?(URI::HTTPS)
           http.use_ssl = true
diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb
index 4a7461f871..a1d1817d11 100644
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -407,7 +407,8 @@ module Oneboxer
         ignore_hostnames: blocked_domains,
         force_get_hosts: force_get_hosts,
         force_custom_user_agent_hosts: force_custom_user_agent_hosts,
-        preserve_fragment_url_hosts: preserve_fragment_url_hosts
+        preserve_fragment_url_hosts: preserve_fragment_url_hosts,
+        timeout: 5
       }
 
       if strategy && Oneboxer.strategies[strategy][:force_get_host]