pinakes-server: validate GPS coordinate bounds; validate saved search fields and sort_order

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Idca86117aeeff4afd489ee00bb5c70a36a6a6964

crates/pinakes-server/src/routes/photos.rs

@@ -152,6 +152,14 @@ pub async fn get_map_photos(
   State(state): State<AppState>,
   Query(query): Query<MapQuery>,
 ) -> Result<impl IntoResponse, ApiError> {
+  let valid_lat = |v: f64| v.is_finite() && (-90.0..=90.0).contains(&v);
+  let valid_lon = |v: f64| v.is_finite() && (-180.0..=180.0).contains(&v);
+  if !valid_lat(query.lat1) || !valid_lat(query.lat2) {
+    return Err(ApiError::bad_request("latitude must be in [-90, 90]"));
+  }
+  if !valid_lon(query.lon1) || !valid_lon(query.lon2) {
+    return Err(ApiError::bad_request("longitude must be in [-180, 180]"));
+  }
   // Validate bounding box
   let min_lat = query.lat1.min(query.lat2);
   let max_lat = query.lat1.max(query.lat2);