Potential fix for code scanning alert no. 2: Uncontrolled command line

video/info.py

@@ -7,7 +7,7 @@
 
 from tornado import gen, web
 from tornado.concurrent import run_on_executor
-from utils import safely_join_path
+from utils import safely_join_path, validate_video_name
 
 
 class InfoHandler(web.RequestHandler):
@@ -70,7 +70,12 @@ def _get_info(self, video):
 
     @gen.coroutine
     def get(self):
-        video = unquote(str(self.get_argument("video")))
+        raw_video = unquote(str(self.get_argument("video")))
+        try:
+            video = validate_video_name(raw_video)
+        except ValueError as exc:
+            self.send_error(400, reason=str(exc))
+            return
         if os.path.exists(safely_join_path(self._mp4path, video)):
             info = yield self._get_info(video)
             self.write(info)

video/utils.py

@@ -20,3 +20,19 @@ def str2bool(in_val):
         return True
     else:
         return False
+
+
+def validate_video_name(name):
+    """
+    Validate that the provided video identifier is a simple file name and
+    not a path. Returns a normalized name or raises ValueError.
+    """
+    if not isinstance(name, str):
+        raise ValueError("Video name must be a string")
+    cleaned = name.strip()
+    if not cleaned:
+        raise ValueError("Video name cannot be empty")
+    # Disallow path separators to ensure this is just a file name.
+    if os.sep in cleaned or "/" in cleaned or "\\" in cleaned:
+        raise ValueError(f"Invalid video name: {cleaned}")
+    return cleaned