From 84b7873357a53966c853a0d021ce4ad62c803982 Mon Sep 17 00:00:00 2001
From: shenlian <shenlian6@huawei.com>
Date: Thu, 3 Jul 2025 19:43:14 +0800
Subject: [PATCH 1/3] add  env check

---
 ascend_deployer/download_util.py             |  6 +-
 ascend_deployer/module_utils/path_manager.py | 75 ++++++++++++--------
 2 files changed, 50 insertions(+), 31 deletions(-)

diff --git a/ascend_deployer/download_util.py b/ascend_deployer/download_util.py
index 5554f5e9..a73fbc67 100644
--- a/ascend_deployer/download_util.py
+++ b/ascend_deployer/download_util.py
@@ -26,8 +26,10 @@ from downloader.parallel_file_downloader import ParallelDownloader, DownloadFile
 
 ROOT_PATH = SRC_PATH = os.path.dirname(__file__)
 REFERER = "https://www.hiascend.com/"
-LOCAL_FILE = os.path.normpath('./downloader/obs_downloader_config.zip')
-EXTRACT_FILE = './downloader/obs_downloader_config'
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DOWNLOADER_DIR = os.path.join(BASE_DIR, 'downloader')
+LOCAL_FILE = os.path.join(DOWNLOADER_DIR, 'obs_downloader_config.zip')
+EXTRACT_FILE = os.path.join(DOWNLOADER_DIR, 'obs_downloader_config')
 
 
 def get_os_list():
diff --git a/ascend_deployer/module_utils/path_manager.py b/ascend_deployer/module_utils/path_manager.py
index 32b7ce6f..ee2a0609 100644
--- a/ascend_deployer/module_utils/path_manager.py
+++ b/ascend_deployer/module_utils/path_manager.py
@@ -13,7 +13,8 @@ def get_validated_env(
         whitelist=PATH_WHITE_LIST_LIN,
         min_length=1,
         max_length=MAX_PATH_LEN,
-        check_symlink=True
+        check_symlink=True,
+        check_owner=True
 ):
     """
     获取并验证环境变量 (兼容 Python 2/3)
@@ -22,21 +23,40 @@ def get_validated_env(
     :param min_length: 最小长度限制
     :param max_length: 最大长度限制
     :param check_symlink: 是否检查软链接
+    :param check_owner: 属组检查
     :return: 验证通过的环境变量值
     :raises ValueError: 验证失败时抛出
     """
     value = os.getenv(env_name)
-
     if value is None:
         return None
-
     # 白名单校验
+    whitelist_check(value, whitelist)
+    # 长度校验
+    length_check(env_name, max_length, min_length, value)
+    # 软连接校验
+    if check_symlink:
+        symlink_check(env_name, value)
+    if check_owner and not owner_check(value):
+        raise ValueError("The path {} is not owned by current user or root.".format(value))
+    return value
+
+
+def whitelist_check(value, whitelist):
     for char in value:
         if char not in whitelist:
             raise ValueError(
                 "The path is invalid. The path can contain only char in '{}'".format(whitelist))
 
-    # 长度校验
+
+def owner_check(path):
+    path_stat = os.stat(path)
+    path_owner, path_gid = path_stat.st_uid, path_stat.st_gid
+    user_check = path_owner == os.getuid() and path_owner == os.geteuid()
+    return path_owner == 0 or path_gid in os.getgroups() or user_check
+
+
+def length_check(env_name, max_length, min_length, value):
     str_len = len(value)
     if min_length is not None and str_len < min_length:
         raise ValueError(
@@ -44,7 +64,6 @@ def get_validated_env(
                 env_name, min_length, str_len
             )
         )
-
     if max_length is not None and str_len > max_length:
         raise ValueError(
             "Value for {} is too long. Maximum length: {}, actual: {}".format(
@@ -52,30 +71,28 @@ def get_validated_env(
             )
         )
 
-    # 路径安全校验
-    if check_symlink:
-        # 在 Python 2/3 中正确处理 unicode 路径
-        if isinstance(value, bytes):
-            path_value = value.decode('utf-8', 'replace')
-        else:
-            path_value = value
-        # 软链接检查
-        if check_symlink:
-            try:
-                # 检查路径是否存在且是符号链接
-                if os.path.lexists(path_value) and os.path.islink(path_value):
-                    raise ValueError(
-                        "Path for {} is a symlink: {}. Symlinks are not allowed for security reasons.".format(
-                            env_name, path_value
-                        )
-                    )
-            except (OSError, IOError) as e:
-                # 处理文件系统访问错误
-                if e.errno != errno.ENOENT:  # 忽略文件不存在的错误
-                    raise ValueError(
-                        "Error checking symlink for {}: {} - {}".format(env_name, path_value, str(e))
-                    )
-    return value
+
+def symlink_check(env_name, value):
+    # 在 Python 2/3 中正确处理 unicode 路径
+    if isinstance(value, bytes):
+        path_value = value.decode('utf-8', 'replace')
+    else:
+        path_value = value
+    # 软链接检查
+    try:
+        # 检查路径是否存在且是符号链接
+        if os.path.lexists(path_value) and os.path.islink(path_value):
+            raise ValueError(
+                "Path for {} is a symlink: {}. Symlinks are not allowed for security reasons.".format(
+                    env_name, path_value
+                )
+            )
+    except (OSError, IOError) as e:
+        # 处理文件系统访问错误
+        if e.errno != errno.ENOENT:  # 忽略文件不存在的错误
+            raise ValueError(
+                "Error checking symlink for {}: {} - {}".format(env_name, path_value, str(e))
+            )
 
 
 class ProjectPath:
-- 
Gitee


From 092633f236bfb88e10ea920e6d37c8a2a5124da4 Mon Sep 17 00:00:00 2001
From: shenlian <shenlian6@huawei.com>
Date: Thu, 3 Jul 2025 19:49:39 +0800
Subject: [PATCH 2/3] add  env check

---
 ascend_deployer/module_utils/path_manager.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ascend_deployer/module_utils/path_manager.py b/ascend_deployer/module_utils/path_manager.py
index ee2a0609..ddfa9688 100644
--- a/ascend_deployer/module_utils/path_manager.py
+++ b/ascend_deployer/module_utils/path_manager.py
@@ -37,7 +37,7 @@ def get_validated_env(
     # 软连接校验
     if check_symlink:
         symlink_check(env_name, value)
-    if check_owner and not owner_check(value):
+    if check_owner and os.path.lexists(value) and not owner_check(value):
         raise ValueError("The path {} is not owned by current user or root.".format(value))
     return value
 
-- 
Gitee


From 2be54c943c4833b8c598c02324ebfc008309bd00 Mon Sep 17 00:00:00 2001
From: shenlian <shenlian6@huawei.com>
Date: Thu, 3 Jul 2025 20:04:39 +0800
Subject: [PATCH 3/3] add  env check

---
 ascend_deployer/module_utils/path_manager.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/ascend_deployer/module_utils/path_manager.py b/ascend_deployer/module_utils/path_manager.py
index ddfa9688..121e5898 100644
--- a/ascend_deployer/module_utils/path_manager.py
+++ b/ascend_deployer/module_utils/path_manager.py
@@ -5,14 +5,13 @@ import string
 
 _CUR_DIR = os.path.dirname(__file__)
 PATH_WHITE_LIST_LIN = string.digits + string.ascii_letters + '~-+_./ '
+MIN_PATH_LEN = 1
 MAX_PATH_LEN = 4096
 
 
 def get_validated_env(
         env_name,
         whitelist=PATH_WHITE_LIST_LIN,
-        min_length=1,
-        max_length=MAX_PATH_LEN,
         check_symlink=True,
         check_owner=True
 ):
@@ -20,8 +19,6 @@ def get_validated_env(
     获取并验证环境变量 (兼容 Python 2/3)
     :param env_name: 环境变量名称
     :param whitelist: 允许的值列表
-    :param min_length: 最小长度限制
-    :param max_length: 最大长度限制
     :param check_symlink: 是否检查软链接
     :param check_owner: 属组检查
     :return: 验证通过的环境变量值
@@ -33,7 +30,7 @@ def get_validated_env(
     # 白名单校验
     whitelist_check(value, whitelist)
     # 长度校验
-    length_check(env_name, max_length, min_length, value)
+    length_check(env_name, MAX_PATH_LEN, MIN_PATH_LEN, value)
     # 软连接校验
     if check_symlink:
         symlink_check(env_name, value)
-- 
Gitee