fix: address security vulnerabilities and code quality issues

Security fixes:
- Fix open redirect vulnerability in segment financial info views by validating
  return_url parameter with url_has_allowed_host_and_scheme()
- Add null check for obj.segment in SegmentFinancialInfoView to prevent
  AttributeError when segment is missing

API improvements:
- Replace hardcoded URL strings with DRF reverse() calls in segment financial
  info serializer for proper URL generation
- Fix NoReverseMatch error by using correct URL pattern name
  'plugins-api:cesnet_service_path_plugin-api:segment-detail'
- Remove redundant permission checks in SegmentSerializer.get_financial_info()

Code quality improvements:
- Fix typo: rename SegmnetCircuitMappingViewSet to SegmentCircuitMappingViewSet
  across all files (urls.py, __init__.py, views/segment_circuit_mapping.py)
- Move get_currency_choices and get_default_currency imports to module level
  in segment_financial_info form to follow Python best practices
- Remove duplicate '{% load plugins %}' statement from segment.html template
- Fix inconsistent typing: change lowercase 'list' to 'List' in GraphQL schema
  for segment_financial_info_list field

Documentation:
- Add clarifying note in README.md explaining that EUR in example config is
  an override while CZK is the fallback default currency

All changes maintain backward compatibility and improve code maintainability.

Author: Kani999

README.md

@@ -404,6 +404,8 @@ PLUGINS_CONFIG = {
 }
 ```
 
+*Note: This example shows EUR as the configured default currency. If not configured, the application will use CZK as the fallback default.*
+
 **Configuration options:**
 - `currencies`: List of (code, name) tuples for available currencies
 - `default_currency`: Default currency code to use when creating new financial records

cesnet_service_path_plugin/api/serializers/segment.py

@@ -98,21 +98,14 @@ def get_financial_info(self, obj):
             return None
 
         # Check if user has permission to view financial info
-        has_financial_view_perm = request.user.has_perm("cesnet_service_path_plugin.view_segmentfinancialinfo")
-
-        # Check if user has permission to view financial info
-        if not has_financial_view_perm:
+        if not request.user.has_perm("cesnet_service_path_plugin.view_segmentfinancialinfo"):
             return None
 
-        # Try to get financial info if user has permission
-        financial_info = None
-        if has_financial_view_perm:
-            financial_info = getattr(obj, "financial_info", None)
-
+        # Fetch and serialize financial info if user has permission
+        financial_info = getattr(obj, "financial_info", None)
         if financial_info:
             return SegmentFinancialInfoSerializer(financial_info, context=self.context).data
-        else:
-            return None
+        return None
 
     def update(self, instance, validated_data):
         """Handle file upload during update"""

cesnet_service_path_plugin/api/serializers/segment_financial_info.py

@@ -1,6 +1,7 @@
 # cesnet_service_path_plugin/api/serializers/segment_financial_info.py
 from netbox.api.serializers import NetBoxModelSerializer
 from rest_framework import serializers
+from rest_framework.reverse import reverse
 
 from cesnet_service_path_plugin.models import Segment, SegmentFinancialInfo
 
@@ -71,13 +72,17 @@ def get_segment_detail(self, obj):
             request = self.context.get("request")
 
             if request:
-                # API context - build absolute URI
-                segment_url = request.build_absolute_uri(
-                    f"/api/plugins/cesnet-service-path-plugin/segments/{obj.segment.id}/"
+                # API context - build absolute URI using reverse
+                segment_url = reverse(
+                    "plugins-api:cesnet_service_path_plugin-api:segment-detail",
+                    kwargs={"pk": obj.segment.id},
+                    request=request,
                 )
             else:
                 # Non-API context (e.g., form validation) - use relative URL
-                segment_url = f"/api/plugins/cesnet-service-path-plugin/segments/{obj.segment.id}/"
+                segment_url = reverse(
+                    "plugins-api:cesnet_service_path_plugin-api:segment-detail", kwargs={"pk": obj.segment.id}
+                )
 
             return {
                 "id": obj.segment.id,

cesnet_service_path_plugin/api/urls.py

@@ -7,7 +7,7 @@
 router.register("segments", views.SegmentViewSet)
 router.register("service-paths", views.ServicePathViewSet)
 router.register("service-path-segment-mappings", views.ServicePathSegmentMappingViewSet)
-router.register("segment-circuit-mappings", views.SegmnetCircuitMappingViewSet)
+router.register("segment-circuit-mappings", views.SegmentCircuitMappingViewSet)
 router.register("segment-financial-info", views.SegmentFinancialInfoViewSet)
 
 

cesnet_service_path_plugin/api/views/__init__.py

@@ -1,13 +1,13 @@
 from .segment import SegmentViewSet
-from .segment_circuit_mapping import SegmnetCircuitMappingViewSet
+from .segment_circuit_mapping import SegmentCircuitMappingViewSet
 from .segment_financial_info import SegmentFinancialInfoViewSet
 from .service_path import ServicePathViewSet
 from .service_path_segment_mapping import ServicePathSegmentMappingViewSet
 
 __all__ = [
     "SegmentFinancialInfoViewSet",
     "SegmentViewSet",
-    "SegmnetCircuitMappingViewSet",
+    "SegmentCircuitMappingViewSet",
     "ServicePathSegmentMappingViewSet",
     "ServicePathViewSet",
 ]

cesnet_service_path_plugin/api/views/segment_circuit_mapping.py

@@ -5,7 +5,7 @@
 from cesnet_service_path_plugin.api.serializers import SegmentCircuitMappingSerializer
 
 
-class SegmnetCircuitMappingViewSet(NetBoxModelViewSet):
+class SegmentCircuitMappingViewSet(NetBoxModelViewSet):
     metadata_class = ContentTypeMetadata
     queryset = models.SegmentCircuitMapping.objects.all()
     serializer_class = SegmentCircuitMappingSerializer

cesnet_service_path_plugin/forms/segment_financial_info.py

@@ -4,6 +4,7 @@
 from utilities.forms.rendering import FieldSet
 
 from cesnet_service_path_plugin.models import Segment, SegmentFinancialInfo
+from cesnet_service_path_plugin.models.segment_financial_info import get_currency_choices, get_default_currency
 
 
 class SegmentFinancialInfoForm(NetBoxModelForm):
@@ -36,8 +37,6 @@ def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
         # Dynamically set currency choices from the model's get_currency_choices
-        from cesnet_service_path_plugin.models.segment_financial_info import get_currency_choices, get_default_currency
-
         self.fields["charge_currency"].choices = get_currency_choices()
         self.fields["charge_currency"].initial = get_default_currency()
 

cesnet_service_path_plugin/graphql/schema.py

@@ -4,11 +4,11 @@
 import strawberry_django
 
 from .types import (
-    SegmentType,
     SegmentCircuitMappingType,
     SegmentFinancialInfoType,
-    ServicePathType,
+    SegmentType,
     ServicePathSegmentMappingType,
+    ServicePathType,
 )
 
 
@@ -21,7 +21,7 @@ class CesnetServicePathQuery:
     segment_circuit_mapping_list: List[SegmentCircuitMappingType] = strawberry_django.field()
 
     segment_financial_info: SegmentFinancialInfoType = strawberry_django.field()
-    segment_financial_info_list: list[SegmentFinancialInfoType] = strawberry_django.field()
+    segment_financial_info_list: List[SegmentFinancialInfoType] = strawberry_django.field()
 
     service_path: ServicePathType = strawberry_django.field()
     service_path_list: List[ServicePathType] = strawberry_django.field()

cesnet_service_path_plugin/templates/cesnet_service_path_plugin/segment.html

@@ -6,7 +6,6 @@
 {% load tabs %}
 {% load i18n %}
 {% load perms %}
-{% load plugins %}
 {% load custom_filters %}
 {% load render_table from django_tables2 %}
 

cesnet_service_path_plugin/views/segment_financial_info.py

@@ -1,4 +1,5 @@
 from django.shortcuts import redirect
+from django.utils.http import url_has_allowed_host_and_scheme
 from netbox.views import generic
 from utilities.views import register_model_view
 
@@ -16,6 +17,9 @@ class SegmentFinancialInfoView(generic.ObjectView):
 
     def get(self, request, *args, **kwargs):
         obj = self.get_object(**kwargs)
+        # Check if segment exists before redirecting
+        if obj.segment is None:
+            return redirect("/")
         # Redirect to the parent segment's detail view
         return redirect(obj.segment.get_absolute_url())
 
@@ -32,13 +36,11 @@ def get_return_url(self, request, obj=None):
         """
         # Check if return_url is in request
         if return_url := request.GET.get("return_url") or request.POST.get("return_url"):
-            return return_url
+            # Validate the return_url to prevent open redirect
+            if url_has_allowed_host_and_scheme(return_url, allowed_hosts={request.get_host()}, require_https=True):
+                return return_url
 
-        # Otherwise return to the segment detail
-        if obj and obj.segment:
-            return obj.segment.get_absolute_url()
-
-        # Fallback to the default behavior
+        # Return safe default if validation fails or no return_url provided
         return super().get_return_url(request, obj)
 
 
@@ -52,11 +54,9 @@ def get_return_url(self, request, obj=None):
         """
         # Check if return_url is in request
         if return_url := request.GET.get("return_url") or request.POST.get("return_url"):
-            return return_url
-
-        # Otherwise return to the segment detail
-        if obj and obj.segment:
-            return obj.segment.get_absolute_url()
+            # Validate the return_url to prevent open redirect
+            if url_has_allowed_host_and_scheme(return_url, allowed_hosts={request.get_host()}, require_https=True):
+                return return_url
 
-        # Fallback to the default behavior
+        # Return safe default if validation fails or no return_url provided
         return super().get_return_url(request, obj)