Merge pull request #12119 from sbidoul/hg-explicit-rev-sbi

Pass revisions options explicitly to mercurial commands

news/12119.bugfix.rst

@@ -0,0 +1,3 @@
+Pass the ``-r`` flag to mercurial to be explicit that a revision is passed and protect
+against ``hg`` options injection as part of VCS URLs. Users that do not have control on
+VCS URLs passed to pip are advised to upgrade.

src/pip/_internal/vcs/mercurial.py

@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
 
     @staticmethod
     def get_base_rev_args(rev: str) -> List[str]:
-        return [rev]
+        return ["-r", rev]
 
     def fetch_new(
         self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int

tests/unit/test_vcs.py

@@ -66,7 +66,7 @@ def test_rev_options_repr() -> None:
         # First check VCS-specific RevOptions behavior.
         (Bazaar, [], ["-r", "123"], {}),
         (Git, ["HEAD"], ["123"], {}),
-        (Mercurial, [], ["123"], {}),
+        (Mercurial, [], ["-r", "123"], {}),
         (Subversion, [], ["-r", "123"], {}),
         # Test extra_args.  For this, test using a single VersionControl class.
         (