SECURITY: Bound the amount of work that embed#topics can do

SECURITY: Bound the amount of work that embed#topics can do

This commit adds a hidden site setting that limits the maximum number of topics that can be fetched at once via the embed controller.

diff --git a/app/controllers/embed_controller.rb b/app/controllers/embed_controller.rb
index 04e6a2e..2a05f7d 100644
--- a/app/controllers/embed_controller.rb
+++ b/app/controllers/embed_controller.rb
@@ -41,7 +41,11 @@ class EmbedController < ApplicationController
     end
 
     list_options = build_topic_list_options
-    list_options[:per_page] = params[:per_page].to_i if params.has_key?(:per_page)
+
+    if params.has_key?(:per_page)
+      list_options[:per_page] =
+        [params[:per_page].to_i, SiteSetting.embed_topic_limit_per_page].min
+    end
 
     if params[:allow_create]
       @allow_create = true
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 714fa88..c8dcaa6 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -1702,6 +1702,9 @@ embedding:
   embed_post_limit:
     default: 100
     hidden: true
+  embed_topic_limit_per_page:
+    default: 200
+    hidden: true
   embed_title_scrubber:
     default: ""
     hidden: true

GitHub sha: 0b800d30