From 0b800d307f57c500e04d66d0ba0612cb61bd2d27 Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Mon, 20 Jul 2020 12:13:35 +0100
Subject: [PATCH] SECURITY: Bound the amount of work that embed#topics can do

This commit adds a hidden site setting that limits the maximum number of
topics that can be fetched at once via the embed controller.
---
 app/controllers/embed_controller.rb | 6 +++++-
 config/site_settings.yml            | 3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/controllers/embed_controller.rb b/app/controllers/embed_controller.rb
index 04e6a2ec89f..2a05f7d8238 100644
--- a/app/controllers/embed_controller.rb
+++ b/app/controllers/embed_controller.rb
@@ -41,7 +41,11 @@ class EmbedController < ApplicationController
     end
 
     list_options = build_topic_list_options
-    list_options[:per_page] = params[:per_page].to_i if params.has_key?(:per_page)
+
+    if params.has_key?(:per_page)
+      list_options[:per_page] =
+        [params[:per_page].to_i, SiteSetting.embed_topic_limit_per_page].min
+    end
 
     if params[:allow_create]
       @allow_create = true
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 714fa88b7a0..c8dcaa6fd74 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -1702,6 +1702,9 @@ embedding:
   embed_post_limit:
     default: 100
     hidden: true
+  embed_topic_limit_per_page:
+    default: 200
+    hidden: true
   embed_title_scrubber:
     default: ""
     hidden: true