Fix pypa#5874: Filter out candidates with hash mismatches.

Changes the behavior of `pip install` in hash-checking mode to filter
out any candidates whose hashes (obtained via URL) do not match the
hashes provided. This prevents a HashMismatch error when a more
preferred binary distribution is upload for a release after a user
pins the hashes for that release.

Note that a second hash comparison is performed when the candidate is
downloaded. This is important because the first check is not secure: it
trusts that the hash in the URL is the same as the hash in the content,
and it also does not error when the user is in hash-checking mode but
has not provided a hash.

Author: alexbecker

news/5874.feature

@@ -0,0 +1 @@
+Only select candidates in hash-checking mode that will pass hash checks.

src/pip/_internal/index.py

@@ -51,6 +51,7 @@
     from pip._internal.pep425tags import Pep425Tag
     from pip._internal.req import InstallRequirement
     from pip._internal.download import PipSession
+    from pip._internal.utils import Hashes
 
     SecureOrigin = Tuple[str, str, Optional[str]]
     BuildTag = Tuple[Any, ...]  # either empty tuple or Tuple[int, str]
@@ -386,12 +387,28 @@ def iter_applicable(self):
         # Again, converting version to str to deal with debundling.
         return (c for c in self.iter_all() if str(c.version) in self._versions)
 
-    def get_best(self):
-        # type: () -> Optional[InstallationCandidate]
+    def get_best(self, hashes=None):
+        # type: (Optional[Hashes]) -> Optional[InstallationCandidate]
         """Return the best candidate available, or None if no applicable
         candidates are found.
         """
         candidates = list(self.iter_applicable())
+        if hashes:
+            # If we are in hash-checking mode, filter out candidates that will
+            # fail the hash check. This prevents HashMismatch errors when a new
+            # distribution is uploaded for an old release.
+            def test_against_hashes(candidate):
+                link = candidate.location
+                is_match = hashes.test_against_hash(link.hash_name, link.hash)
+                if not is_match:
+                    logger.warning(
+                        "candidate %s ignored: hash %s:%s not among provided "
+                        "hashes",
+                        link.filename, link.hash_name, link.hash,
+                    )
+                return is_match
+
+            candidates = [c for c in candidates if test_against_hashes(c)]
         return self._evaluator.get_best_candidate(candidates)
 
 
@@ -764,7 +781,9 @@ def find_requirement(self, req, upgrade):
         Raises DistributionNotFound or BestVersionAlreadyInstalled otherwise
         """
         candidates = self.find_candidates(req.name, req.specifier)
-        best_candidate = candidates.get_best()
+        # Get any hashes supplied by the user to filter candidates.
+        hashes = req.hashes(trust_internet=False)
+        best_candidate = candidates.get_best(hashes)
 
         installed_version = None    # type: Optional[_BaseVersion]
         if req.satisfied_by is not None:

src/pip/_internal/utils/hashes.py

@@ -86,6 +86,11 @@ def check_against_path(self, path):
         with open(path, 'rb') as file:
             return self.check_against_file(file)
 
+    def test_against_hash(self, hash_name, hash_value):
+        # type (str, str) -> bool
+        """Return whether a given hash is among the known-good hashes."""
+        return hash_value in self._allowed.get(hash_name, [])
+
     def __nonzero__(self):
         # type: () -> bool
         """Return whether I know any known-good hashes."""