diff --git a/news/11773.bugfix.rst b/news/11773.bugfix.rst new file mode 100644 index 00000000000..077bf061259 --- /dev/null +++ b/news/11773.bugfix.rst @@ -0,0 +1 @@ +Do not crash in presence of misformatted hash field in ``direct_url.json``. diff --git a/src/pip/_internal/models/direct_url.py b/src/pip/_internal/models/direct_url.py index 09b540f916c..c3de70a749c 100644 --- a/src/pip/_internal/models/direct_url.py +++ b/src/pip/_internal/models/direct_url.py @@ -108,7 +108,12 @@ def __init__( if hash is not None: # Auto-populate the hashes key to upgrade to the new format automatically. # We don't back-populate the legacy hash key. - hash_name, hash_value = hash.split("=", 1) + try: + hash_name, hash_value = hash.split("=", 1) + except ValueError: + raise DirectUrlValidationError( + f"invalid archive_info.hash format: {hash!r}" + ) if hashes is None: hashes = {hash_name: hash_value} elif hash_name not in hash: diff --git a/tests/unit/test_direct_url.py b/tests/unit/test_direct_url.py index e1708ae9381..3ca982b5017 100644 --- a/tests/unit/test_direct_url.py +++ b/tests/unit/test_direct_url.py @@ -102,6 +102,13 @@ def test_parsing_validation() -> None: match="more than one of archive_info, dir_info, vcs_info", ): DirectUrl.from_dict({"url": "http://...", "dir_info": {}, "archive_info": {}}) + with pytest.raises( + DirectUrlValidationError, + match="invalid archive_info.hash format", + ): + DirectUrl.from_dict( + {"url": "http://...", "archive_info": {"hash": "sha256:aaa"}} + ) def test_redact_url() -> None: