From be27ba3aa638f7d0cacf8466eba86f93a33244dc Mon Sep 17 00:00:00 2001
From: YunaiV <zhijiantianya@gmail.com>
Date: Sat, 13 Dec 2025 09:39:30 +0800
Subject: [PATCH] =?UTF-8?q?fix(infra):=20=E6=96=87=E4=BB=B6=E4=B8=8A?=
 =?UTF-8?q?=E4=BC=A0=E6=97=B6=EF=BC=8C=E6=94=BE=E5=AE=BD=20directory=20?=
 =?UTF-8?q?=E6=A0=A1=E9=AA=8C=EF=BC=8C=E5=8F=AF=E6=94=AF=E6=8C=81=E7=B1=BB?=
 =?UTF-8?q?=E4=BC=BC=20XXX/YYY=20=E7=9B=AE=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../controller/admin/file/vo/file/FileUploadReqVO.java   | 9 ++++++++-
 .../infra/controller/app/file/vo/AppFileUploadReqVO.java | 4 ++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
index 44e8b65d76..06dff7c087 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
@@ -22,7 +22,14 @@ public class FileUploadReqVO {
     @AssertTrue(message = "文件目录不正确")
     @JsonIgnore
     public boolean isDirectoryValid() {
-        return !StrUtil.containsAny(directory, "..", "/", "\\");
+        return isDirectoryValid(directory);
+    }
+
+    public static boolean isDirectoryValid(String directory) {
+        // 1. 不能包含 .. 防止目录穿越
+        // 2. 不能以 / 或 \ 开头，防止上传到根目录
+        return !StrUtil.contains(directory, "..")
+                && !StrUtil.startWithAny(directory, "/", "\\");
     }
 
 }
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
index d10a21cc49..9423906ba6 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
@@ -1,6 +1,6 @@
 package cn.iocoder.yudao.module.infra.controller.app.file.vo;
 
-import cn.hutool.core.util.StrUtil;
+import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.FileUploadReqVO;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.validation.constraints.AssertTrue;
@@ -22,7 +22,7 @@ public class AppFileUploadReqVO {
     @AssertTrue(message = "文件目录不正确")
     @JsonIgnore
     public boolean isDirectoryValid() {
-        return !StrUtil.containsAny(directory, "..", "/", "\\");
+        return FileUploadReqVO.isDirectoryValid(directory);
     }
 
 }