From d7dec998bb4000b5cec92f7dd17c03a0c366a1be Mon Sep 17 00:00:00 2001 From: kalebmckale Date: Sat, 21 Jan 2023 18:47:56 -0500 Subject: [PATCH] Addresses Issue #5572: Implement PIP_TRUSTED_HOSTS logic... Duplicated logic from `import_requirements()` in requirements.py to `do_install()` in `install.py` to allow users to specify index via `--index` command-line option and validate against `PIP_TRUSTED_HOSTS` when determining `verify_ssl` value. --- news/5572.feature.rst | 1 + pipenv/routines/install.py | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 news/5572.feature.rst diff --git a/news/5572.feature.rst b/news/5572.feature.rst new file mode 100644 index 0000000000..7cdc602b8a --- /dev/null +++ b/news/5572.feature.rst @@ -0,0 +1 @@ +Implement PIP_TRUSTED_HOSTS logic from importing requirements to specified --index URL. diff --git a/pipenv/routines/install.py b/pipenv/routines/install.py index 647205986a..44bba7d3b8 100644 --- a/pipenv/routines/install.py +++ b/pipenv/routines/install.py @@ -10,7 +10,7 @@ from pipenv.routines.lock import do_lock from pipenv.utils.dependencies import convert_deps_to_pip, is_star from pipenv.utils.indexes import get_source_list -from pipenv.utils.internet import download_file, is_valid_url +from pipenv.utils.internet import download_file, get_host_and_port, is_valid_url from pipenv.utils.pip import ( format_pip_error, format_pip_output, @@ -334,8 +334,21 @@ def do_install( ) # Add the package to the Pipfile. if index_url: + trusted_hosts = get_trusted_hosts() + host_and_port = get_host_and_port(index_url) + require_valid_https = not any( + ( + v in trusted_hosts + for v in ( + host_and_port, + host_and_port.partition(":")[ + 0 + ], # also check if hostname without port is in trusted_hosts + ) + ) + ) index_name = project.add_index_to_pipfile( - index_url, verify_ssl=index_url.startswith("https:") + index_url, verify_ssl=require_valid_https ) pkg_requirement.index = index_name try: