SECURITY: ensures timeouts are correctly used on connect (#13455)

SECURITY: ensures timeouts are correctly used on connect (#13455)

diff --git a/lib/final_destination.rb b/lib/final_destination.rb
index 348a44f..2cc9b5c 100644
--- a/lib/final_destination.rb
+++ b/lib/final_destination.rb
@@ -196,6 +196,7 @@ class FinalDestination
     response = Excon.public_send(@http_verb,
       @uri.to_s,
       read_timeout: timeout,
+      connect_timeout: timeout,
       headers: headers,
       middlewares: middlewares
     )
diff --git a/lib/onebox/helpers.rb b/lib/onebox/helpers.rb
index a3df3f2..6b8f4d3 100644
--- a/lib/onebox/helpers.rb
+++ b/lib/onebox/helpers.rb
@@ -63,8 +63,7 @@ module Onebox
       end
 
       result = StringIO.new
-      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.normalized_scheme == 'https') do |http|
-        http.open_timeout = Onebox.options.connect_timeout
+      Net::HTTP.start(uri.host, uri.port, open_timeout: Onebox.options.connect_timeout, use_ssl: uri.normalized_scheme == 'https') do |http|
         http.read_timeout = Onebox.options.timeout
         http.verify_mode = OpenSSL::SSL::VERIFY_NONE  # Work around path building bugs
 
@@ -118,8 +117,7 @@ module Onebox
     def self.fetch_content_length(location)
       uri = URI(location)
 
-      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.is_a?(URI::HTTPS)) do |http|
-        http.open_timeout = Onebox.options.connect_timeout
+      Net::HTTP.start(uri.host, uri.port, open_timeout: Onebox.options.connect_timeout, use_ssl: uri.is_a?(URI::HTTPS)) do |http|
         http.read_timeout = Onebox.options.timeout
         if uri.is_a?(URI::HTTPS)
           http.use_ssl = true
diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb
index 4a7461f..a1d1817 100644
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -407,7 +407,8 @@ module Oneboxer
         ignore_hostnames: blocked_domains,
         force_get_hosts: force_get_hosts,
         force_custom_user_agent_hosts: force_custom_user_agent_hosts,
-        preserve_fragment_url_hosts: preserve_fragment_url_hosts
+        preserve_fragment_url_hosts: preserve_fragment_url_hosts,
+        timeout: 5
       }
 
       if strategy && Oneboxer.strategies[strategy][:force_get_host]

GitHub sha: e50b7e911128d5be9d3cbc8a9ca3173610cc01b1

This commit appears in #13455 which was approved by tgxworld. It was merged by jjaffeux.