Various fixes to the link hash parser

news/11936.bugfix.rst

@@ -0,0 +1 @@
+Fix and improve the parsing of hashes embedded in URL fragments.

src/pip/_internal/models/link.py

@@ -61,13 +61,13 @@ class LinkHash:
         # against Hashes when hash-checking is needed. This is easier to debug than
         # proactively discarding an invalid hex digest, as we handle incorrect hashes
         # and malformed hashes in the same place.
-        r"({choices})=(.*)".format(
+        r"[#&]({choices})=([^&]+)".format(
             choices="|".join(re.escape(hash_name) for hash_name in _SUPPORTED_HASHES)
         ),
     )
 
     def __post_init__(self) -> None:
-        assert self._hash_re.match(f"{self.name}={self.value}")
+        assert self._hash_re.match(f"#{self.name}={self.value}")
 
     @classmethod
     @functools.lru_cache(maxsize=None)

tests/unit/test_collector.py

@@ -1051,6 +1051,18 @@ def expand_path(path: str) -> str:
             "https://pypi.org/pip-18.0.tar.gz#sha256=aa113592bbe",
             LinkHash("sha256", "aa113592bbe"),
         ),
+        (
+            "https://pypi.org/pip-18.0.tar.gz#sha256=aa113592bbe&subdirectory=setup",
+            LinkHash("sha256", "aa113592bbe"),
+        ),
+        (
+            "https://pypi.org/pip-18.0.tar.gz#subdirectory=setup&sha256=aa113592bbe",
+            LinkHash("sha256", "aa113592bbe"),
+        ),
+        # "xsha256" is not a valid algorithm, so we discard it.
+        ("https://pypi.org/pip-18.0.tar.gz#xsha256=aa113592bbe", None),
+        # Discard empty hash.
+        ("https://pypi.org/pip-18.0.tar.gz#sha256=", None),
         (
             "https://pypi.org/pip-18.0.tar.gz#md5=aa113592bbe",
             LinkHash("md5", "aa113592bbe"),