Fix #5874: Filter out candidates with hash mismatches.

news/5874.feature

@@ -0,0 +1 @@
+Only select candidates in hash-checking mode that will pass hash checks.

src/pip/_internal/index.py

@@ -51,6 +51,7 @@
     from pip._internal.pep425tags import Pep425Tag
     from pip._internal.req import InstallRequirement
     from pip._internal.download import PipSession
+    from pip._internal.utils.hashes import Hashes
 
     SecureOrigin = Tuple[str, str, Optional[str]]
     BuildTag = Tuple[Any, ...]  # either empty tuple or Tuple[int, str]
@@ -309,16 +310,41 @@ def _sort_key(self, candidate):
             pri = -(support_num)
         return (binary_preference, candidate.version, build_tag, pri)
 
-    def get_best_candidate(self, candidates):
-        # type: (List[InstallationCandidate]) -> InstallationCandidate
+    def get_best_candidate(self, candidates, hashes=None):
+        # type: (List[InstallationCandidate], Optional[Hashes]) -> Optional[InstallationCandidate]  # noqa: E501
         """
-        Return the best candidate per the instance's sort order, or None if
-        no candidates are given.
+        Return the best candidate per the instance's sort order, ignoring
+        any that do not match the provided hashes in hash-checking mode.
+        Returns None if no candidates are given or none match the hashes.
         """
         if not candidates:
             return None
 
-        return max(candidates, key=self._sort_key)
+        # If we are in hash-checking mode, filter out candidates that will
+        # fail the hash check per the hash provided in their Link URL to
+        # prevent HashMismatch errors. However, if no hashes are provided
+        # we don't want to filter out all candidates, but instead let
+        # a HashMissing error get raised later.
+        # This is not a security check: after download the contents will
+        # be hashed and compared to the known-good hashes.
+        if not hashes:
+            return max(candidates, self._sort_key)
+
+        candidates = sorted(candidates, key=self._sort_key, reverse=True)
+        for candidate in candidates:
+            link = candidate.location
+            if not link.hash:
+                # Candidates with no hash in their URLs probably still match
+                # the provided hashes, so we shouldn't filter them out.
+                return candidate
+            if hashes.test_against_hash(link.hash_name, link.hash):
+                return candidate
+            logger.warning(
+                "candidate %s ignored: hash %s:%s not among provided hashes",
+                link.filename, link.hash_name, link.hash,
+            )
+
+        return None
 
 
 class FoundCandidates(object):
@@ -386,13 +412,13 @@ def iter_applicable(self):
         # Again, converting version to str to deal with debundling.
         return (c for c in self.iter_all() if str(c.version) in self._versions)
 
-    def get_best(self):
-        # type: () -> Optional[InstallationCandidate]
+    def get_best(self, hashes=None):
+        # type: (Optional[Hashes]) -> Optional[InstallationCandidate]
         """Return the best candidate available, or None if no applicable
         candidates are found.
         """
         candidates = list(self.iter_applicable())
-        return self._evaluator.get_best_candidate(candidates)
+        return self._evaluator.get_best_candidate(candidates, hashes=hashes)
 
 
 class PackageFinder(object):
@@ -764,7 +790,9 @@ def find_requirement(self, req, upgrade):
         Raises DistributionNotFound or BestVersionAlreadyInstalled otherwise
         """
         candidates = self.find_candidates(req.name, req.specifier)
-        best_candidate = candidates.get_best()
+        # Get any hashes supplied by the user to filter candidates.
+        hashes = req.hashes(trust_internet=False)
+        best_candidate = candidates.get_best(hashes)
 
         installed_version = None    # type: Optional[_BaseVersion]
         if req.satisfied_by is not None:

src/pip/_internal/utils/hashes.py

@@ -86,6 +86,11 @@ def check_against_path(self, path):
         with open(path, 'rb') as file:
             return self.check_against_file(file)
 
+    def test_against_hash(self, hash_name, hash_value):
+        # type (str, str) -> bool
+        """Return whether a given hash is among the known-good hashes."""
+        return hash_value in self._allowed.get(hash_name, [])
+
     def __nonzero__(self):
         # type: () -> bool
         """Return whether I know any known-good hashes."""

tests/unit/test_req.py

@@ -115,7 +115,9 @@ def test_missing_hash_checking(self):
         ))
         # This flag activates --require-hashes mode:
         reqset.add_requirement(get_processed_req_from_line(
-            'tracefront==0.1 --hash=sha256:somehash', lineno=2,
+            'tracefront==0.1 --hash=sha256:d74cd6119a883bf15e2bae63ac0fea33b48'
+            '45e1a76b82aad586537d92a25bb51',
+            lineno=2,
         ))
         # This hash should be accepted because it came from the reqs file, not
         # from the internet:
@@ -145,7 +147,8 @@ def test_missing_hash_checking(self):
             r'    blessings==1.0 --hash=sha256:[0-9a-f]+\n'
             r'THESE PACKAGES DO NOT MATCH THE HASHES.*\n'
             r'    tracefront==0.1 .*:\n'
-            r'        Expected sha256 somehash\n'
+            r'        Expected sha256 d74cd6119a883bf15e2bae63ac0fea33b4845e1a'
+            r'76b82aad586537d92a25bb51\n'
             r'             Got        [0-9a-f]+$',
             resolver.resolve,
             reqset