fix: replace shell=True with secure subprocess in TranscodePerturbation

Rudra-Tiwari-codes · Rudra-Tiwari-codes · commit 92b844ee96a2 · 2026-01-23T11:41:34.000+11:00
Security Fix: Convert amr-nb, ogg, and g711 codecs in TranscodePerturbation from shell=True to secure subprocess patterns using explicit argument lists. - Use subprocess.Popen with pipes for amr-nb and ogg codecs - Use subprocess.run with list arguments for g711 codec - Remove unused 'Any' import to fix linting errors Related to #15165 Signed-off-by: Rudra Tiwari <tiwarirudra2006@gmail.com>
diff --git a/nemo/collections/asr/parts/preprocessing/perturb.py b/nemo/collections/asr/parts/preprocessing/perturb.py
@@ -39,7 +39,7 @@
 import random
 import subprocess
 from tempfile import NamedTemporaryFile
-from typing import Any, List, Optional, Union
+from typing import List, Optional, Union
 
 import librosa
 import numpy as np
@@ -1032,23 +1032,50 @@ def perturb(self, data):
             transcoded_f = NamedTemporaryFile(suffix="_amr.wav")
             rates = list(range(0, 4))
             rate = rates[random.randint(0, len(rates) - 1)]
-            _ = subprocess.check_output(
-                f"sox {orig_f.name} -V0 -C {rate} -t amr-nb - | sox -t amr-nb - -V0 -b 16 -r 16000 {transcoded_f.name}",
-                shell=True,
-            )
+            with subprocess.Popen(
+                ["sox", orig_f.name, "-V0", "-C", str(rate), "-t", "amr-nb", "-"],
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+            ) as sox_encode:
+                subprocess.run(
+                    ["sox", "-t", "amr-nb", "-", "-V0", "-b", "16", "-r", "16000", transcoded_f.name],
+                    stdin=sox_encode.stdout,
+                    check=True,
+                )
         elif self._codecs[codec_ind] == "ogg":
             transcoded_f = NamedTemporaryFile(suffix="_ogg.wav")
             rates = list(range(-1, 8))
             rate = rates[random.randint(0, len(rates) - 1)]
-            _ = subprocess.check_output(
-                f"sox {orig_f.name} -V0 -C {rate} -t ogg - | sox -t ogg - -V0 -b 16 -r 16000 {transcoded_f.name}",
-                shell=True,
-            )
+            with subprocess.Popen(
+                ["sox", orig_f.name, "-V0", "-C", str(rate), "-t", "ogg", "-"],
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+            ) as sox_encode:
+                subprocess.run(
+                    ["sox", "-t", "ogg", "-", "-V0", "-b", "16", "-r", "16000", transcoded_f.name],
+                    stdin=sox_encode.stdout,
+                    check=True,
+                )
         elif self._codecs[codec_ind] == "g711":
             transcoded_f = NamedTemporaryFile(suffix="_g711.wav")
-            _ = subprocess.check_output(
-                f"sox {orig_f.name} -V0  -r 8000 -c 1 -e a-law {transcoded_f.name} lowpass 3400 highpass 300",
-                shell=True,
+            subprocess.run(
+                [
+                    "sox",
+                    orig_f.name,
+                    "-V0",
+                    "-r",
+                    "8000",
+                    "-c",
+                    "1",
+                    "-e",
+                    "a-law",
+                    transcoded_f.name,
+                    "lowpass",
+                    "3400",
+                    "highpass",
+                    "300",
+                ],
+                check=True,
             )
 
         new_data = AudioSegment.from_file(transcoded_f.name, target_sr=16000)
