Skip to content

fix: replace shell=True with secure subprocess in TranscodePerturbation#15309

Open
Rudra-Tiwari-codes wants to merge 1 commit intoNVIDIA-NeMo:mainfrom
Rudra-Tiwari-codes:fix/transcode-perturbation-shell-security-v2
Open

fix: replace shell=True with secure subprocess in TranscodePerturbation#15309
Rudra-Tiwari-codes wants to merge 1 commit intoNVIDIA-NeMo:mainfrom
Rudra-Tiwari-codes:fix/transcode-perturbation-shell-security-v2

Conversation

@Rudra-Tiwari-codes
Copy link

@Rudra-Tiwari-codes Rudra-Tiwari-codes commented Jan 23, 2026
edited
Loading

fix: replace shell=True with secure subprocess in TranscodePerturbation

Description

This PR addresses a security vulnerability where shell=True was used in subprocess calls within the TranscodePerturbation class. Following the precedent set in PR #15165, these calls have been refactored to use secure shell=False implementations with explicit argument lists.

Changelog

  • Security Fix: Converted amr-nb, ogg, and g711 codecs in TranscodePerturbation from shell=True to secure subprocess patterns using explicit argument lists
  • Code Quality: Proper pipe handling with stdout.close() and wait() to prevent resource leaks
  • Robustness: Use subprocess.DEVNULL for stderr to prevent potential deadlocks from unread buffers
  • Cleanup: Removed unused Any import from typing module

Proposed Changes

  • [MODIFY] nemo/collections/asr/parts/preprocessing/perturb.py

Testing

  • Static Analysis: Verified no linting errors with pylint and flake8
  • Code Review: Verified functionally equivalent to original piped shell commands
  • Pattern Consistency: Follows the same approach used in merged PR Execute with subprocess list #15165

Pre checks

  • Make sure you read and followed Contributor guidelines
  • Did you write any new necessary tests? N/A - No functional changes, only security hardening
  • Did you add or update any necessary documentation? N/A
  • Does the PR affect components that are optional to install? No
    • Reviewer: Does the PR have correct import guards for all optional libraries?

PR Type

  • New Feature
  • Bugfix
  • Documentation

Please review:

@titu1994, @redoctopus, @jbalam-nv, @okuchaiev

Additional Information

@github-actions github-actions bot added the ASR label Jan 23, 2026
@Rudra-Tiwari-codes Rudra-Tiwari-codes marked this pull request as ready for review January 23, 2026 00:46
@Rudra-Tiwari-codes Rudra-Tiwari-codes force-pushed the fix/transcode-perturbation-shell-security-v2 branch from ef1d3eb to 92b844e Compare January 23, 2026 01:00
@Rudra-Tiwari-codes
fix: replace shell=True with secure subprocess in TranscodePerturbation
18add2c 
Security: Convert amr-nb, ogg, and g711 codecs in TranscodePerturbation
from shell=True to secure subprocess patterns using list arguments.

Changes:
- Replace subprocess.check_output with shell=True to subprocess.Popen
  and subprocess.run with explicit argument lists for amr-nb and ogg codecs
- Replace subprocess.check_output with shell=True to subprocess.run
  with list arguments for g711 codec
- Use subprocess.DEVNULL for stderr to suppress unnecessary output
- Properly close stdout pipes and wait for encoder process completion
  to prevent potential resource leaks
- Remove unused 'Any' import from typing module

This follows the precedent set in PR NVIDIA-NeMo#15165 which fixed similar
security vulnerabilities in data_utils.py.

Signed-off-by: Rudra-Tiwari-codes <rudratiwari2006@gmail.com>
Signed-off-by: Rudra Tiwari <tiwarirudra2006@gmail.com>
@Rudra-Tiwari-codes Rudra-Tiwari-codes force-pushed the fix/transcode-perturbation-shell-security-v2 branch from 92b844e to 18add2c Compare January 23, 2026 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ASR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Rudra-Tiwari-codes