Address path traversal and other security fixes

src/files.rs

@@ -932,6 +932,7 @@ pub async fn get_gps_summary(
     request: HttpRequest,
     req: Query<FilesRequest>,
     exif_dao: Data<Mutex<Box<dyn ExifDao>>>,
+    app_state: Data<AppState>,
 ) -> Result<HttpResponse, actix_web::Error> {
     use crate::data::{GpsPhotoSummary, GpsPhotosResponse};
 
@@ -952,17 +953,17 @@ pub async fn get_gps_summary(
     // The database stores relative paths, so we use the path as-is
     // Normalize empty path or "/" to return all GPS photos
     let requested_path = if req.path.is_empty() || req.path == "/" {
-        ""
+        String::new()
     } else {
-        // Just do basic validation to prevent path traversal
-        if req.path.contains("..") {
-            warn!("Path traversal attempt: {}", req.path);
+        // Validate path using the same check as all other endpoints
+        if is_valid_full_path(&app_state.base_path, &req.path, false).is_none() {
+            warn!("Invalid path for GPS summary: {}", req.path);
             cx.span().set_status(Status::error("Invalid path"));
-            return Ok(HttpResponse::Forbidden().json(serde_json::json!({
+            return Ok(HttpResponse::BadRequest().json(serde_json::json!({
                 "error": "Invalid path"
             })));
         }
-        req.path.as_str()
+        req.path.clone()
     };
 
     let recursive = req.recursive.unwrap_or(false);
@@ -973,7 +974,7 @@ pub async fn get_gps_summary(
 
     // Query database for all photos with GPS
     let mut exif_dao_guard = exif_dao.lock().expect("Unable to get ExifDao");
-    match exif_dao_guard.get_all_with_gps(&cx, requested_path, recursive) {
+    match exif_dao_guard.get_all_with_gps(&cx, &requested_path, recursive) {
         Ok(gps_data) => {
             let mut photos: Vec<GpsPhotoSummary> = gps_data
                 .into_iter()