Onebox susceptible to DoS
Package
Onebox
(Discourse)
Affected versions
stable <= 2.8.0; beta <= 2.9.0.beta1; tests-passed <= 2.8.0
Patched versions
stable >= 2.8.1; beta >= 2.9.0.beta2; tests-passed >= 2.9.0.beta2
Impact
Users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job is triggering an infinite loop which is causing memory leaks.
Patches
This issue is patched in the latest versions of discourse.
Workarounds
Disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.