From 82207356ec2c5d06d964ae44b7fd409dad54de30 Mon Sep 17 00:00:00 2001
From: Fushuling <2425404240@qq.com>
Date: Wed, 18 Mar 2026 14:26:03 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E9=89=B4=E6=9D=83?=
 =?UTF-8?q?=E7=BB=95=E8=BF=87=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../jeecgframework/core/interceptors/AuthInterceptor.java    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java b/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java
index b35a9824..29f736fc 100644
--- a/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java
+++ b/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java
@@ -86,6 +86,11 @@ public class AuthInterceptor implements HandlerInterceptor {
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object object) throws Exception {
         String requestPath = ResourceUtil.getRequestPath(request); // 用户访问的资源地址
         //logger.info("-----authInterceptor----requestPath------" + requestPath);
+        // 基础安全校验：防止鉴权绕过漏洞
+        if (requestPath != null && (requestPath.contains("..") || requestPath.contains("%2e") || requestPath.contains("%2E"))) {
+            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid request path");
+            return false;
+        }
         // 步骤一： 判断是否是排除拦截请求，直接返回 TRUE
         if (requestPath.matches("^rest/[a-zA-Z0-9_/]+$")) {
             return true;
-- 
Gitee