Fix --require-hashes trusting link hashes

When a direct URL with hash is provided as a dependency, --require-hash incorrectly considered the link hash as trusted.
pypa · Apr 8, 2023 · d0cf1ad · d0cf1ad
1 parent 155f1aa
commit d0cf1ad
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/news/11938.bugfix.rst b/news/11938.bugfix.rst
@@ -0,0 +1,3 @@
+When package A depends on package B provided as a direct URL dependency including a hash
+embedded in the link, the --require-hashes option did not warn when user supplied hashes
+were missing for package B.
diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py
@@ -287,7 +287,12 @@ def hashes(self, trust_internet: bool = True) -> Hashes:
 
  """
  good_hashes = self.hash_options.copy()
- link = self.link if trust_internet else self.original_link
+ if trust_internet:
+ link = self.link
+ elif self.original_link and self.user_supplied:
+ link = self.original_link
+ else:
+ link = None
  if link and link.hash:
  good_hashes.setdefault(link.hash_name, []).append(link.hash)
  return Hashes(good_hashes)