From 64516b22106294f541c07a443cc6358fda56c1a0 Mon Sep 17 00:00:00 2001
From: YunaiV <zhijiantianya@gmail.com>
Date: Sun, 13 Jul 2025 16:06:41 +0800
Subject: [PATCH] =?UTF-8?q?fix=EF=BC=9A=E3=80=90INFRA=20=E5=9F=BA=E7=A1=80?=
 =?UTF-8?q?=E8=AE=BE=E6=96=BD=E3=80=91=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E6=97=B6=EF=BC=8Cdirectory=20=E6=94=AF=E6=8C=81=E4=BB=BB?=
 =?UTF-8?q?=E6=84=8F=E8=B7=AF=E5=BE=84=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../controller/admin/file/vo/file/FileUploadReqVO.java   | 9 +++++++++
 .../infra/controller/app/file/vo/AppFileUploadReqVO.java | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
index 4096f477e..44e8b65d7 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
@@ -1,6 +1,9 @@
 package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file;
 
+import cn.hutool.core.util.StrUtil;
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.AssertTrue;
 import jakarta.validation.constraints.NotNull;
 import lombok.Data;
 import org.springframework.web.multipart.MultipartFile;
@@ -16,4 +19,10 @@ public class FileUploadReqVO {
     @Schema(description = "文件目录", example = "XXX/YYY")
     private String directory;
 
+    @AssertTrue(message = "文件目录不正确")
+    @JsonIgnore
+    public boolean isDirectoryValid() {
+        return !StrUtil.containsAny(directory, "..", "/", "\\");
+    }
+
 }
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
index fde120a06..d10a21cc4 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
@@ -1,6 +1,9 @@
 package cn.iocoder.yudao.module.infra.controller.app.file.vo;
 
+import cn.hutool.core.util.StrUtil;
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.AssertTrue;
 import jakarta.validation.constraints.NotNull;
 import lombok.Data;
 import org.springframework.web.multipart.MultipartFile;
@@ -16,4 +19,10 @@ public class AppFileUploadReqVO {
     @Schema(description = "文件目录", example = "XXX/YYY")
     private String directory;
 
+    @AssertTrue(message = "文件目录不正确")
+    @JsonIgnore
+    public boolean isDirectoryValid() {
+        return !StrUtil.containsAny(directory, "..", "/", "\\");
+    }
+
 }