From 76bc5c654dd0748d559e9e85d9190771045c8235 Mon Sep 17 00:00:00 2001
From: Julian Simioni <julian@simioni.org>
Date: Sat, 13 Oct 2018 11:00:01 -0400
Subject: [PATCH] fix(geo_common): check bbox parameters are within range

If bounding box lat/lon values are outside the correct range,
Elasticsearch throws very alarming errors.

With a little validation code we can provide more friendly and
actionable error messages.

Fixes https://github.com/pelias/pelias/issues/750
---
 sanitizer/_geo_common.js           | 22 ++++++++++++++++++++
 test/unit/sanitizer/_geo_common.js | 32 ++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/sanitizer/_geo_common.js b/sanitizer/_geo_common.js
index dff0c46c..0db124a3 100644
--- a/sanitizer/_geo_common.js
+++ b/sanitizer/_geo_common.js
@@ -43,12 +43,34 @@ function sanitize_rect( key_prefix, clean, raw, bbox_is_required ) {
     }
   });
 
+  sanitize_bbox_bounds(raw, key_prefix);
+
   // use sanitize_coord to set values in `clean`
   properties.forEach(function(prop) {
     sanitize_coord(prop, clean, raw, true);
   });
 }
 
+// validate lat/lon values are within bounds
+function sanitize_bbox_bounds(raw, key_prefix) {
+  const bounds = [ { dimension: 'lat', range: 90},
+                   { dimension: 'lon', range: 180}];
+
+  bounds.forEach(function(bound) {
+    const values = {
+      max: parseFloat(raw[`${key_prefix}.max_${bound.dimension}`]),
+      min: parseFloat(raw[`${key_prefix}.min_${bound.dimension}`])
+    };
+
+    ['min', 'max'].forEach(function(prefix) {
+      if (Math.abs(values[prefix]) > bound.range) {
+        const key =`${key_prefix}.${prefix}_${bound.dimension}`;
+        throw new Error(`${key} value ${values[prefix]} is outside range -${bound.range},${bound.range}`);
+      }
+    });
+  });
+}
+
 /**
  * Parse and validate circle parameter
  *
diff --git a/test/unit/sanitizer/_geo_common.js b/test/unit/sanitizer/_geo_common.js
index 09c008ba..a8e6fc05 100644
--- a/test/unit/sanitizer/_geo_common.js
+++ b/test/unit/sanitizer/_geo_common.js
@@ -298,6 +298,38 @@ module.exports.tests.rect = function(test, common) {
     });
     t.end();
   });
+
+  test('invalid rect - out of range latitude', function(t) {
+    var clean = {};
+    var params = {
+      'boundary.rect.max_lat': 352.2387,
+      'boundary.rect.max_lon': 14.1367,
+      'boundary.rect.min_lat': 52.7945,
+      'boundary.rect.min_lon': 12.6398
+    };
+    var mandatory = false;
+
+    t.throws( function() {
+      sanitize.sanitize_rect( 'boundary.rect', clean, params, mandatory );
+    }, /boundary.rect.max_lat value 352.2387 is outside range -90,90/, 'should throw error on boundary.rect.max_lat value');
+    t.end();
+  });
+
+  test('invalid rect - out of range longitude', function(t) {
+    var clean = {};
+    var params = {
+      'boundary.rect.max_lat': 52.2387,
+      'boundary.rect.max_lon': 14.1367,
+      'boundary.rect.min_lat': 12.7945,
+      'boundary.rect.min_lon': -200.6398
+    };
+    var mandatory = false;
+
+    t.throws( function() {
+      sanitize.sanitize_rect( 'boundary.rect', clean, params, mandatory );
+    }, /boundary.rect.min_lon value -200.6398 is outside range -180,180/, 'should throw error on boundary.rect.min_lon');
+    t.end();
+  });
 };
 
 module.exports.tests.circle = function(test, common) {