Potential fix for code scanning alert no. 4: Incomplete URL substring sanitization

[Teagan42]

Potential fix for https://github.com/constructorfleet/mcp-plex/security/code-scanning/4

The correct way to check if a request is being made to "themoviedb.org" is to parse the URL and inspect its hostname component (which can be extracted via urllib.parse in Python). Replace the substring match if "themoviedb.org" in url: with parsing the URL (with urllib.parse.urlparse), and then checking that hostname is equal to "themoviedb.org" or a subdomain thereof (possibly endswith ".themoviedb.org"). For the context of this test code, checking hostname and hostname.endswith("themoviedb.org") suffices. We need to import urlparse from urllib.parse, and use it in the handler function at line 61. Only the handler function and the import statement need to be modified in this file.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
mcp_plex
config.py	33	6	82%	50, 52–55, 58
loader.py	565	6	99%	198, 253, 255–257, 273
server.py	592	28	95%	41–42, 117–118, 146, 250, 254, 275–278, 295, 353, 367, 385–386, 423, 1074, 1096–1102, 1138, 1156, 1161, 1179, 1303, 1340
TOTAL	1364	40	97%

Tests	Skipped	Failures	Errors	Time
91	0 💤	0 ❌	0 🔥	47.846s ⏱️

[Copilot]

Pull Request Overview

This PR addresses a security vulnerability by replacing unsafe URL substring checking with proper hostname validation. The fix prevents potential URL substring sanitization bypass attacks by using urllib.parse.urlparse to properly validate requests to The Movie Database API.

• Adds proper URL parsing using urllib.parse.urlparse
• Replaces substring check with hostname validation that includes subdomain support
• Maintains existing test functionality while improving security

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}