SECURITY: Bound the amount of work that embed#topics can do

This commit adds a hidden site setting that limits the maximum number of
topics that can be fetched at once via the embed controller.

app/controllers/embed_controller.rb

@@ -41,7 +41,11 @@ class EmbedController < ApplicationController
     end
 
     list_options = build_topic_list_options
-    list_options[:per_page] = params[:per_page].to_i if params.has_key?(:per_page)
+
+    if params.has_key?(:per_page)
+      list_options[:per_page] =
+        [params[:per_page].to_i, SiteSetting.embed_topic_limit_per_page].min
+    end
 
     if params[:allow_create]
       @allow_create = true

config/site_settings.yml

@@ -1702,6 +1702,9 @@ embedding:
   embed_post_limit:
     default: 100
     hidden: true
+  embed_topic_limit_per_page:
+    default: 200
+    hidden: true
   embed_title_scrubber:
     default: ""
     hidden: true