diff --git a/services/backup_sa/include/module_ipc/svc_session_manager.h b/services/backup_sa/include/module_ipc/svc_session_manager.h
index 320a0b7b4ee8cda3212cd060d492dd7256e76eb4..6113ac1aad08eb38a6ac61dd3e9b5cd905ddaba7 100644
--- a/services/backup_sa/include/module_ipc/svc_session_manager.h
+++ b/services/backup_sa/include/module_ipc/svc_session_manager.h
@@ -69,7 +69,7 @@ public:
             Caller must complete all processes before next user tigger.<Session>
             [RESTORE] Support for multiple users, incoming during restore process.
         */
-        int32_t userId;
+        int32_t userId {100};
     };
 
 public:
diff --git a/services/backup_sa/src/module_ipc/service.cpp b/services/backup_sa/src/module_ipc/service.cpp
index 7efc4660b88b36e37087632c6f66e5e4ce6f3fbb..aec7bbd0abd56c0571e4e4a9bc2221e8f914ff5c 100644
--- a/services/backup_sa/src/module_ipc/service.cpp
+++ b/services/backup_sa/src/module_ipc/service.cpp
@@ -38,6 +38,7 @@
 #include "ability_manager_client.h"
 #include "accesstoken_kit.h"
 #include "b_error/b_error.h"
+#include "b_error/b_excep_utils.h"
 #include "b_file_info.h"
 #include "b_json/b_json_cached_entity.h"
 #include "b_json/b_json_entity_caps.h"
@@ -90,9 +91,10 @@ UniqueFd Service::GetLocalCapabilities()
         */
         session_->SetSessionUserId(GetUserIdDefault(IPCSkeleton::GetCallingUid()));
         VerifyCaller();
+        string path = BConstants::GetSaBundleBackupRootDir(session_->GetSessionUserId());
+        BExcepUltils::VerifyPath(path, false);
         BJsonCachedEntity<BJsonEntityCaps> cachedEntity(
-            UniqueFd(open(BConstants::GetSaBundleBackupRootDir(
-                session_->GetSessionUserId()).data(), O_TMPFILE | O_RDWR, 0600)));
+            UniqueFd(open(path.data(), O_TMPFILE | O_RDWR, S_IRUSR | S_IWUSR)));
 
         auto cache = cachedEntity.Structuralize();
 
@@ -398,9 +400,9 @@ ErrCode Service::LaunchBackupExtension(const BundleName &bundleName)
         }
 
         AAFwk::Want want;
-        string backupExtName = session_->GetBackupExtName(bundleName); /* new device app ext name */
-        string versionName = session_->GetBundleVersionName(bundleName); /* old device app version name */
-        uint32_t versionCode = session_->GetBundleVersionCode(bundleName); /* old device app version code */
+        string backupExtName = session_->GetBackupExtName(bundleName);            /* new device app ext name */
+        string versionName = session_->GetBundleVersionName(bundleName);          /* old device app version name */
+        uint32_t versionCode = session_->GetBundleVersionCode(bundleName);        /* old device app version code */
         RestoreTypeEnum restoreType = session_->GetBundleRestoreType(bundleName); /* app restore type */
 
         want.SetElementName(bundleName, backupExtName);
diff --git a/tools/backup_tool/src/tools_op_restore_async.cpp b/tools/backup_tool/src/tools_op_restore_async.cpp
index 82ed497795d434e044fe08ea40b240de34e2343f..104d2194a5098a75c14c1278df3fa5445c843634 100644
--- a/tools/backup_tool/src/tools_op_restore_async.cpp
+++ b/tools/backup_tool/src/tools_op_restore_async.cpp
@@ -94,6 +94,7 @@ static void OnFileReady(shared_ptr<SessionAsync> ctx, const BFileInfo &fileInfo,
     if (access(tmpPath.data(), F_OK) != 0) {
         throw BError(BError::Codes::TOOL_INVAL_ARG, generic_category().message(errno));
     }
+    BExcepUltils::VerifyPath(tmpPath, false);
     UniqueFd fdLocal(open(tmpPath.data(), O_RDONLY));
     if (fdLocal < 0) {
         throw BError(BError::Codes::TOOL_INVAL_ARG, generic_category().message(errno));
@@ -169,6 +170,7 @@ static void RestoreApp(shared_ptr<SessionAsync> restore, vector<BundleName> &bun
 
 static int32_t ChangeBundleInfo(const string &pathCapFile, const vector<string> &bundleNames, const string &type)
 {
+    BExcepUltils::VerifyPath(pathCapFile, false);
     UniqueFd fd(open(pathCapFile.data(), O_RDWR, S_IRWXU));
     if (fd < 0) {
         fprintf(stderr, "Failed to open file error: %d %s\n", errno, strerror(errno));
@@ -181,7 +183,7 @@ static int32_t ChangeBundleInfo(const string &pathCapFile, const vector<string>
     vector<BJsonEntityCaps::BundleInfo> bundleInfos;
     for (auto name : bundleNames) {
         string versionName = string(BConstants::DEFAULT_VERSION_NAME);
-        int32_t versionCode = BConstants::DEFAULT_VERSION_CODE;
+        uint32_t versionCode = static_cast<uint32_t>(BConstants::DEFAULT_VERSION_CODE);
         if (type == "false") {
             auto iter = find_if(infos.begin(), infos.end(), [name](const auto &it) { return it.name == name; });
             if (iter != infos.end()) {
@@ -209,6 +211,7 @@ static int32_t AppendBundles(shared_ptr<SessionAsync> restore,
                              const string &type,
                              const string &userId)
 {
+    BExcepUltils::VerifyPath(pathCapFile, false);
     UniqueFd fd(open(pathCapFile.data(), O_RDWR, S_IRWXU));
     if (fd < 0) {
         fprintf(stderr, "Failed to open file error: %d %s\n", errno, strerror(errno));