From 0b6e9f7ee41172aa75db4ebdcb2565211bc8559e Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Wed, 9 Jul 2025 08:01:48 +0000
Subject: [PATCH] Refactor file path validation using @AssertTrue method in
 upload VOss

Co-authored-by: zhijiantianya <zhijiantianya@gmail.com>
---
 test_assert_true.class                        | Bin 0 -> 2579 bytes
 .../controller/admin/file/FileController.java |   3 +-
 .../admin/file/vo/file/FileUploadReqVO.java   |  34 +++++-
 .../validator/DirectoryParamValidator.java    |  65 ----------
 .../vo/file/validator/DirectoryValidator.java |  65 ----------
 .../vo/file/validator/ValidDirectory.java     |  23 ----
 .../file/validator/ValidDirectoryParam.java   |  23 ----
 .../app/file/AppFileController.java           |   3 +-
 .../app/file/vo/AppFileUploadReqVO.java       |  34 +++++-
 .../file/core/utils/PathValidationUtils.java  | 104 ----------------
 .../infra/service/file/FileServiceImpl.java   |  19 +--
 .../file/vo/file/FileUploadReqVOTest.java     |  92 +++++++++++++++
 .../core/utils/PathValidationUtilsTest.java   | 111 ------------------
 13 files changed, 164 insertions(+), 412 deletions(-)
 create mode 100644 test_assert_true.class
 delete mode 100644 yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryParamValidator.java
 delete mode 100644 yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryValidator.java
 delete mode 100644 yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectory.java
 delete mode 100644 yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectoryParam.java
 delete mode 100644 yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java
 create mode 100644 yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVOTest.java
 delete mode 100644 yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java

diff --git a/test_assert_true.class b/test_assert_true.class
new file mode 100644
index 0000000000000000000000000000000000000000..dc2ac85b0bdc42c7f82f0042f850c54df4f46fd7
GIT binary patch
literal 2579
zcmaJ@Yi|@)7=BK7c4xYs(sFdsauHC9z0e(8ZN(N5SV6%SFN@Ve6^GrS9lATS?95V%
zcg6c%L@pu5keJ5U#OQ}=Oyrw>@Mjp~Z}5Y$K4-STHeGF|Pv7%i&UxSWdCyFL`{$>t
z0CwS05>1Hd&`iXU5NJPcpR}!_?M+yZ9zE{lLxIG0*K@-i0<o^{Q60t-r(9TZy$J(J
z0T?g^R)kIvS_QYlSidr3V1+>2Qk`X>ol0w|)_~;Bk<O}*znR)}+T!Dcd8=#(!F0jE
zDuGq$^f;es*DLtb!FVtegih)1jDcID2nH;PSRF+$ph3ji$kv%TmQE9R4)NMaw+XDJ
zx<4Pm;%QvoIB$c%ZJik>dX8NemhN)9K+BSJHVNF69c+-xX68~Y7k#@BSedPvd#tT@
zS#HUmZ~_Be+@&;=KIRskba*OEq6fV?wwUNcda-#&*dV789tkT|hblLC@ER4PcF`>e
zq`HQ0a9pErsQXYew&E@w854Ko9>&$VM13XuewD+Jss+2g^%#i{8SmJoAp-++`2F%(
z1KT3uyn#VZ&Yzdx`SaY{2DU5t{Fjs^r*4Od2e4D%mXbZ?WPLAhhflfTB&8s<y)Y2i
z-yp~3SufXgFIOe88(AF>n%INA?0Hn!()0!NvMQ$N{YQ63Rihs^u}^hbcY{5payXNO
zjz>%kV}!bjQ!d(hHhfiAHrpTz1CI&_OT|2H;t91+lEqfSKvizwpn&=8;az=)?7q{_
z45oXO<EV+Jq615In4eVij|nuT(*_Q+#~fq>&qM<6(-DDqG`j}un%JK=kYCj9HNe!A
zLx0x51j(pPsR1{V_jG3V7?=`hzCOJMO3_l8Iy2nBr)Qc!7Ee2|D33D*vZX6MZ;XNJ
zwMBnkRWNPh6lOTHp+D?TJC&>*FprzN8Z=0`KX2j%yeMGgeJ`|Kk6W*)AB60rUCB8o
zs*aa;II=3_WfQO9Ri;yPyoqp<?da;>C!l5h0#9lic0K1nwRF^}9JG%XsnJT@SFv<>
z`J{A@3bf`zJ3lpImm_~2Z*yWAxRSk`U#;Ywy}XGW8uiwyzj$diWxPeZeLoDsid`OY
z!b!hC3O`_ZVuRSww_}57OW>m<KE@|HK2=xZtiYxl_s;cB`csZoyP>sPve%B@sR9@3
z+p_3bJK|y6D-@kz)3EPPRm(%mtE|&32|PGcb{e?X7hn4z4Arx@xJA}37ISXs3~`M2
zc^;WAs@G7U<8y(|Wi>TQRmTOsM*rWHJlE>NMqbD!zDfWMoNOeBuW_}GfB7Xsyypjq
z?<feoPE=+fhGv|>8<goPstnbsooiqDGxV{T$c<^TIX4!UExECTY|V}7vMo1e$d$RV
z_Jq8NsLK@5khc(<Wd|`S*AQFeI-)7p6I<m*;tF{Ou}yXo+vT0P;ogxgS9in)w3N2)
z3Wm0%w9H_<BmN`02NK`IN+mABko~iW%X>TGwbgxUHS`ni2j;Qsj3#Cmeo+-QMHQ`P
zO<?{G)?fx}c?;IzE6U$sJ>I0{JQ52iA+F=C+9TM31se4_jSijd(y@DiJy~XGqJbU@
zXjyLKe+<eNnHz*^*UgbfE4Y`+gNZe(Z`C3N8%cpd-FH1d;-QO(YjZvA<L%Zw_7C^U
z1M_(763kwio5zzh#^&1FBBJEeim5}2sd2^Bvx=$b6jMjp?Sw24b$N_v$Vp<eJWfo?
zBC$n!L{pZDt+GN~A;a8A?>tT(*fOYfXjcc~v4KP?k&0iznhq_M$PDUz9r`>@M=6|1
zkcL0BIVN4>Ap?{0?PTH(mUbs32Xhm8u^ARQ>F2Z!;0xS~S!~1Cl)uIHh@Z_!H2;m&
zY>!xg8+9`3C%dGGP;A}$7Y943K038_aktuVuk861$)0(<bP2jP3oUjdo!X%9jE+bk
j))L#vS0dht(tQ{2@vp&6KIHHF_>8M0rE?sXi|F_lxr|xA

literal 0
HcmV?d00001

diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java
index c763414f78..afcf716237 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java
@@ -8,7 +8,6 @@ import cn.iocoder.yudao.framework.common.pojo.PageResult;
 import cn.iocoder.yudao.framework.common.util.object.BeanUtils;
 import cn.iocoder.yudao.framework.tenant.core.aop.TenantIgnore;
 import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.*;
-import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator.ValidDirectoryParam;
 import cn.iocoder.yudao.module.infra.dal.dataobject.file.FileDO;
 import cn.iocoder.yudao.module.infra.service.file.FileService;
 import io.swagger.v3.oas.annotations.Operation;
@@ -59,7 +58,7 @@ public class FileController {
     })
     public CommonResult<FilePresignedUrlRespVO> getFilePresignedUrl(
             @RequestParam("name") String name,
-            @ValidDirectoryParam @RequestParam(value = "directory", required = false) String directory) {
+            @RequestParam(value = "directory", required = false) String directory) {
         return success(fileService.getFilePresignedUrl(name, directory));
     }
 
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
index 56aae23a91..855a105d13 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
@@ -1,7 +1,8 @@
 package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file;
 
-import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator.ValidDirectory;
+import cn.hutool.core.util.StrUtil;
 import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.AssertTrue;
 import jakarta.validation.constraints.NotNull;
 import lombok.Data;
 import org.springframework.web.multipart.MultipartFile;
@@ -15,7 +16,36 @@ public class FileUploadReqVO {
     private MultipartFile file;
 
     @Schema(description = "文件目录", example = "XXX/YYY")
-    @ValidDirectory(message = "目录路径无效，包含非法字符")
     private String directory;
 
+    @AssertTrue(message = "目录路径无效，包含非法字符")
+    public boolean isDirectoryValid() {
+        if (StrUtil.isEmpty(directory)) {
+            return true; // 空值认为是有效的
+        }
+        
+        // 统一使用正斜杠
+        String normalizedPath = directory.replace('\\', '/');
+        
+        // 检查绝对路径
+        if (normalizedPath.startsWith("/") || normalizedPath.matches("^[A-Za-z]:.*")) {
+            return false;
+        }
+        
+        // 检查路径遍历攻击
+        String[] dangerousPatterns = {
+            "..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
+            "%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
+            "....//", "....\\\\", "....%2f", "....%5c"
+        };
+        
+        String lowerPath = normalizedPath.toLowerCase();
+        for (String pattern : dangerousPatterns) {
+            if (lowerPath.contains(pattern)) {
+                return false;
+            }
+        }
+        
+        return true;
+    }
 }
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryParamValidator.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryParamValidator.java
deleted file mode 100644
index 5356a4e5d6..0000000000
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryParamValidator.java
+++ /dev/null
@@ -1,65 +0,0 @@
-package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator;
-
-import cn.hutool.core.util.StrUtil;
-import jakarta.validation.ConstraintValidator;
-import jakarta.validation.ConstraintValidatorContext;
-
-/**
- * 目录路径参数验证器实现
- * 
- * @author 芋道源码
- */
-public class DirectoryParamValidator implements ConstraintValidator<ValidDirectoryParam, String> {
-
-    @Override
-    public void initialize(ValidDirectoryParam constraintAnnotation) {
-        // 初始化方法，如果需要可以在这里进行一些初始化操作
-    }
-
-    @Override
-    public boolean isValid(String directory, ConstraintValidatorContext context) {
-        // 如果为空，则认为是有效的（可选字段）
-        if (StrUtil.isEmpty(directory)) {
-            return true;
-        }
-
-        // 检查是否包含路径遍历攻击
-        return !containsPathTraversal(directory);
-    }
-
-    /**
-     * 检查路径是否包含路径遍历攻击
-     *
-     * @param path 路径
-     * @return 是否包含路径遍历攻击
-     */
-    private boolean containsPathTraversal(String path) {
-        if (StrUtil.isEmpty(path)) {
-            return false;
-        }
-
-        // 统一使用正斜杠
-        String normalizedPath = path.replace('\\', '/');
-
-        // 检查常见的路径遍历模式
-        String[] dangerousPatterns = {
-            "..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
-            "%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
-            "....//", "....\\\\", "....%2f", "....%5c"
-        };
-
-        String lowerPath = normalizedPath.toLowerCase();
-        for (String pattern : dangerousPatterns) {
-            if (lowerPath.contains(pattern)) {
-                return true;
-            }
-        }
-
-        // 检查绝对路径
-        if (normalizedPath.startsWith("/") || normalizedPath.matches("^[A-Za-z]:.*")) {
-            return true;
-        }
-
-        return false;
-    }
-}
\ No newline at end of file
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryValidator.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryValidator.java
deleted file mode 100644
index 9745c71521..0000000000
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/DirectoryValidator.java
+++ /dev/null
@@ -1,65 +0,0 @@
-package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator;
-
-import cn.hutool.core.util.StrUtil;
-import jakarta.validation.ConstraintValidator;
-import jakarta.validation.ConstraintValidatorContext;
-
-/**
- * 目录路径验证器实现
- * 
- * @author 芋道源码
- */
-public class DirectoryValidator implements ConstraintValidator<ValidDirectory, String> {
-
-    @Override
-    public void initialize(ValidDirectory constraintAnnotation) {
-        // 初始化方法，如果需要可以在这里进行一些初始化操作
-    }
-
-    @Override
-    public boolean isValid(String directory, ConstraintValidatorContext context) {
-        // 如果为空，则认为是有效的（可选字段）
-        if (StrUtil.isEmpty(directory)) {
-            return true;
-        }
-
-        // 检查是否包含路径遍历攻击
-        return !containsPathTraversal(directory);
-    }
-
-    /**
-     * 检查路径是否包含路径遍历攻击
-     *
-     * @param path 路径
-     * @return 是否包含路径遍历攻击
-     */
-    private boolean containsPathTraversal(String path) {
-        if (StrUtil.isEmpty(path)) {
-            return false;
-        }
-
-        // 统一使用正斜杠
-        String normalizedPath = path.replace('\\', '/');
-
-        // 检查常见的路径遍历模式
-        String[] dangerousPatterns = {
-            "..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
-            "%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
-            "....//", "....\\\\", "....%2f", "....%5c"
-        };
-
-        String lowerPath = normalizedPath.toLowerCase();
-        for (String pattern : dangerousPatterns) {
-            if (lowerPath.contains(pattern)) {
-                return true;
-            }
-        }
-
-        // 检查绝对路径
-        if (normalizedPath.startsWith("/") || normalizedPath.matches("^[A-Za-z]:.*")) {
-            return true;
-        }
-
-        return false;
-    }
-}
\ No newline at end of file
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectory.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectory.java
deleted file mode 100644
index 2ba12e9b8d..0000000000
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectory.java
+++ /dev/null
@@ -1,23 +0,0 @@
-package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator;
-
-import jakarta.validation.Constraint;
-import jakarta.validation.Payload;
-import java.lang.annotation.*;
-
-/**
- * 目录路径验证注解
- * 
- * @author 芋道源码
- */
-@Target({ElementType.FIELD, ElementType.PARAMETER})
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-@Constraint(validatedBy = DirectoryValidator.class)
-public @interface ValidDirectory {
-
-    String message() default "目录路径无效，包含非法字符";
-
-    Class<?>[] groups() default {};
-
-    Class<? extends Payload>[] payload() default {};
-}
\ No newline at end of file
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectoryParam.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectoryParam.java
deleted file mode 100644
index 3dfe00cd9c..0000000000
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/validator/ValidDirectoryParam.java
+++ /dev/null
@@ -1,23 +0,0 @@
-package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator;
-
-import jakarta.validation.Constraint;
-import jakarta.validation.Payload;
-import java.lang.annotation.*;
-
-/**
- * 目录路径参数验证注解
- * 
- * @author 芋道源码
- */
-@Target({ElementType.FIELD, ElementType.PARAMETER})
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-@Constraint(validatedBy = DirectoryParamValidator.class)
-public @interface ValidDirectoryParam {
-
-    String message() default "目录路径无效，包含非法字符";
-
-    Class<?>[] groups() default {};
-
-    Class<? extends Payload>[] payload() default {};
-}
\ No newline at end of file
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/AppFileController.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/AppFileController.java
index 9290b6caf5..a17e18b61d 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/AppFileController.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/AppFileController.java
@@ -5,7 +5,6 @@ import cn.iocoder.yudao.framework.common.pojo.CommonResult;
 import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.FileCreateReqVO;
 import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.FilePresignedUrlRespVO;
 import cn.iocoder.yudao.module.infra.controller.app.file.vo.AppFileUploadReqVO;
-import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator.ValidDirectoryParam;
 import cn.iocoder.yudao.module.infra.service.file.FileService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
@@ -49,7 +48,7 @@ public class AppFileController {
     })
     public CommonResult<FilePresignedUrlRespVO> getFilePresignedUrl(
             @RequestParam("name") String name,
-            @ValidDirectoryParam @RequestParam(value = "directory", required = false) String directory) {
+            @RequestParam(value = "directory", required = false) String directory) {
         return success(fileService.getFilePresignedUrl(name, directory));
     }
 
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
index 3364607cbe..2deea50815 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
@@ -1,7 +1,8 @@
 package cn.iocoder.yudao.module.infra.controller.app.file.vo;
 
-import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.validator.ValidDirectory;
+import cn.hutool.core.util.StrUtil;
 import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.AssertTrue;
 import jakarta.validation.constraints.NotNull;
 import lombok.Data;
 import org.springframework.web.multipart.MultipartFile;
@@ -15,7 +16,36 @@ public class AppFileUploadReqVO {
     private MultipartFile file;
 
     @Schema(description = "文件目录", example = "XXX/YYY")
-    @ValidDirectory(message = "目录路径无效，包含非法字符")
     private String directory;
 
+    @AssertTrue(message = "目录路径无效，包含非法字符")
+    public boolean isDirectoryValid() {
+        if (StrUtil.isEmpty(directory)) {
+            return true; // 空值认为是有效的
+        }
+        
+        // 统一使用正斜杠
+        String normalizedPath = directory.replace('\\', '/');
+        
+        // 检查绝对路径
+        if (normalizedPath.startsWith("/") || normalizedPath.matches("^[A-Za-z]:.*")) {
+            return false;
+        }
+        
+        // 检查路径遍历攻击
+        String[] dangerousPatterns = {
+            "..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
+            "%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
+            "....//", "....\\\\", "....%2f", "....%5c"
+        };
+        
+        String lowerPath = normalizedPath.toLowerCase();
+        for (String pattern : dangerousPatterns) {
+            if (lowerPath.contains(pattern)) {
+                return false;
+            }
+        }
+        
+        return true;
+    }
 }
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java
deleted file mode 100644
index 7ca12f886c..0000000000
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java
+++ /dev/null
@@ -1,104 +0,0 @@
-package cn.iocoder.yudao.module.infra.framework.file.core.utils;
-
-import cn.hutool.core.util.StrUtil;
-import cn.iocoder.yudao.framework.common.exception.util.ServiceExceptionUtil;
-import static cn.iocoder.yudao.module.infra.enums.ErrorCodeConstants.*;
-
-/**
- * 路径验证工具类
- * 
- * @author 芋道源码
- */
-public class PathValidationUtils {
-
-    /**
-     * 验证并清理目录路径，防止路径遍历攻击
-     *
-     * @param directory 原始目录路径
-     * @return 清理后的目录路径
-     */
-    public static String validateAndCleanDirectory(String directory) {
-        if (StrUtil.isEmpty(directory)) {
-            return null;
-        }
-
-        // 1. 检查是否包含路径遍历攻击的字符序列
-        String normalizedPath = directory.replace('\\', '/'); // 统一使用正斜杠
-        if (containsPathTraversal(normalizedPath)) {
-            throw ServiceExceptionUtil.exception(FILE_PATH_INVALID);
-        }
-
-        // 2. 清理路径，移除多余的斜杠和点
-        String cleanedPath = cleanPath(normalizedPath);
-        
-        // 3. 确保路径不以斜杠开头或结尾
-        if (cleanedPath.startsWith("/")) {
-            cleanedPath = cleanedPath.substring(1);
-        }
-        if (cleanedPath.endsWith("/")) {
-            cleanedPath = cleanedPath.substring(0, cleanedPath.length() - 1);
-        }
-
-        return cleanedPath.isEmpty() ? null : cleanedPath;
-    }
-
-    /**
-     * 检查路径是否包含路径遍历攻击
-     *
-     * @param path 路径
-     * @return 是否包含路径遍历攻击
-     */
-    private static boolean containsPathTraversal(String path) {
-        if (StrUtil.isEmpty(path)) {
-            return false;
-        }
-
-        // 检查常见的路径遍历模式
-        String[] dangerousPatterns = {
-            "..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
-            "%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
-            "....//", "....\\\\", "....%2f", "....%5c"
-        };
-
-        String lowerPath = path.toLowerCase();
-        for (String pattern : dangerousPatterns) {
-            if (lowerPath.contains(pattern)) {
-                return true;
-            }
-        }
-
-        // 检查绝对路径
-        if (path.startsWith("/") || path.matches("^[A-Za-z]:.*")) {
-            return true;
-        }
-
-        return false;
-    }
-
-    /**
-     * 清理路径，移除多余的斜杠和点
-     *
-     * @param path 原始路径
-     * @return 清理后的路径
-     */
-    private static String cleanPath(String path) {
-        if (StrUtil.isEmpty(path)) {
-            return path;
-        }
-
-        // 移除多余的斜杠
-        path = path.replaceAll("/+", "/");
-        
-        // 移除开头的斜杠
-        if (path.startsWith("/")) {
-            path = path.substring(1);
-        }
-
-        // 移除结尾的斜杠
-        if (path.endsWith("/")) {
-            path = path.substring(0, path.length() - 1);
-        }
-
-        return path;
-    }
-}
\ No newline at end of file
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java
index 15e98dd0bb..98447fb370 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java
@@ -15,7 +15,6 @@ import cn.iocoder.yudao.module.infra.dal.mysql.file.FileMapper;
 import cn.iocoder.yudao.module.infra.framework.file.core.client.FileClient;
 import cn.iocoder.yudao.module.infra.framework.file.core.client.s3.FilePresignedUrlRespDTO;
 import cn.iocoder.yudao.module.infra.framework.file.core.utils.FileTypeUtils;
-import cn.iocoder.yudao.module.infra.framework.file.core.utils.PathValidationUtils;
 import com.google.common.annotations.VisibleForTesting;
 import jakarta.annotation.Resource;
 import lombok.SneakyThrows;
@@ -95,10 +94,7 @@ public class FileServiceImpl implements FileService {
 
     @VisibleForTesting
     String generateUploadPath(String name, String directory) {
-        // 1. 验证并清理目录路径，防止路径遍历攻击
-        directory = PathValidationUtils.validateAndCleanDirectory(directory);
-        
-        // 2. 生成前缀、后缀
+        // 1. 生成前缀、后缀
         String prefix = null;
         if (PATH_PREFIX_DATE_ENABLE) {
             prefix = LocalDateTimeUtil.format(LocalDateTimeUtil.now(), PURE_DATE_PATTERN);
@@ -108,7 +104,7 @@ public class FileServiceImpl implements FileService {
             suffix = String.valueOf(System.currentTimeMillis());
         }
 
-        // 3.1 先拼接 suffix 后缀
+        // 2.1 先拼接 suffix 后缀
         if (StrUtil.isNotEmpty(suffix)) {
             String ext = FileUtil.extName(name);
             if (StrUtil.isNotEmpty(ext)) {
@@ -117,11 +113,11 @@ public class FileServiceImpl implements FileService {
                 name = name + StrUtil.C_UNDERLINE + suffix;
             }
         }
-        // 3.2 再拼接 prefix 前缀
+        // 2.2 再拼接 prefix 前缀
         if (StrUtil.isNotEmpty(prefix)) {
             name = prefix + StrUtil.SLASH + name;
         }
-        // 3.3 最后拼接 directory 目录
+        // 2.3 最后拼接 directory 目录
         if (StrUtil.isNotEmpty(directory)) {
             name = directory + StrUtil.SLASH + name;
         }
@@ -131,13 +127,10 @@ public class FileServiceImpl implements FileService {
     @Override
     @SneakyThrows
     public FilePresignedUrlRespVO getFilePresignedUrl(String name, String directory) {
-        // 1. 验证并清理目录路径，防止路径遍历攻击
-        directory = PathValidationUtils.validateAndCleanDirectory(directory);
-        
-        // 2. 生成上传的 path，需要保证唯一
+        // 1. 生成上传的 path，需要保证唯一
         String path = generateUploadPath(name, directory);
 
-        // 3. 获取文件预签名地址
+        // 2. 获取文件预签名地址
         FileClient fileClient = fileConfigService.getMasterFileClient();
         FilePresignedUrlRespDTO presignedObjectUrl = fileClient.getPresignedObjectUrl(path);
         return BeanUtils.toBean(presignedObjectUrl, FilePresignedUrlRespVO.class,
diff --git a/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVOTest.java b/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVOTest.java
new file mode 100644
index 0000000000..14bac615f2
--- /dev/null
+++ b/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVOTest.java
@@ -0,0 +1,92 @@
+package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file;
+
+import jakarta.validation.Validation;
+import jakarta.validation.Validator;
+import jakarta.validation.ValidatorFactory;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.springframework.mock.web.MockMultipartFile;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * FileUploadReqVO 测试类
+ *
+ * @author 芋道源码
+ */
+class FileUploadReqVOTest {
+
+    private static Validator validator;
+
+    @BeforeAll
+    static void setUp() {
+        ValidatorFactory factory = Validation.buildDefaultValidatorFactory();
+        validator = factory.getValidator();
+    }
+
+    @Test
+    void testValidDirectory() {
+        // 测试有效目录
+        FileUploadReqVO vo = new FileUploadReqVO();
+        vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
+        vo.setDirectory("uploads/2024/01");
+        
+        var violations = validator.validate(vo);
+        assertTrue(violations.isEmpty(), "有效目录应该通过验证");
+    }
+
+    @Test
+    void testNullDirectory() {
+        // 测试空目录
+        FileUploadReqVO vo = new FileUploadReqVO();
+        vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
+        vo.setDirectory(null);
+        
+        var violations = validator.validate(vo);
+        assertTrue(violations.isEmpty(), "空目录应该通过验证");
+    }
+
+    @Test
+    void testEmptyDirectory() {
+        // 测试空字符串目录
+        FileUploadReqVO vo = new FileUploadReqVO();
+        vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
+        vo.setDirectory("");
+        
+        var violations = validator.validate(vo);
+        assertTrue(violations.isEmpty(), "空字符串目录应该通过验证");
+    }
+
+    @Test
+    void testPathTraversalAttack() {
+        // 测试路径遍历攻击
+        FileUploadReqVO vo = new FileUploadReqVO();
+        vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
+        vo.setDirectory("../../etc/passwd");
+        
+        var violations = validator.validate(vo);
+        assertFalse(violations.isEmpty(), "路径遍历攻击应该被拒绝");
+    }
+
+    @Test
+    void testAbsolutePath() {
+        // 测试绝对路径
+        FileUploadReqVO vo = new FileUploadReqVO();
+        vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
+        vo.setDirectory("/etc/passwd");
+        
+        var violations = validator.validate(vo);
+        assertFalse(violations.isEmpty(), "绝对路径应该被拒绝");
+    }
+
+    @Test
+    void testWindowsAbsolutePath() {
+        // 测试Windows绝对路径
+        FileUploadReqVO vo = new FileUploadReqVO();
+        vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
+        vo.setDirectory("C:\\windows\\system32");
+        
+        var violations = validator.validate(vo);
+        assertFalse(violations.isEmpty(), "Windows绝对路径应该被拒绝");
+    }
+}
\ No newline at end of file
diff --git a/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java b/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java
deleted file mode 100644
index d2aeaf9226..0000000000
--- a/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java
+++ /dev/null
@@ -1,111 +0,0 @@
-package cn.iocoder.yudao.module.infra.framework.file.core.utils;
-
-import cn.iocoder.yudao.framework.common.exception.ServiceException;
-import org.junit.jupiter.api.Test;
-
-import static org.junit.jupiter.api.Assertions.*;
-
-/**
- * 路径验证工具类测试
- *
- * @author 芋道源码
- */
-class PathValidationUtilsTest {
-
-    @Test
-    void testValidateAndCleanDirectory_NullInput() {
-        String result = PathValidationUtils.validateAndCleanDirectory(null);
-        assertNull(result);
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_EmptyInput() {
-        String result = PathValidationUtils.validateAndCleanDirectory("");
-        assertNull(result);
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_ValidDirectory() {
-        String result = PathValidationUtils.validateAndCleanDirectory("test/directory");
-        assertEquals("test/directory", result);
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_WithTrailingSlash() {
-        String result = PathValidationUtils.validateAndCleanDirectory("test/directory/");
-        assertEquals("test/directory", result);
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_WithLeadingSlash() {
-        String result = PathValidationUtils.validateAndCleanDirectory("/test/directory");
-        assertEquals("test/directory", result);
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_WithMultipleSlashes() {
-        String result = PathValidationUtils.validateAndCleanDirectory("test///directory");
-        assertEquals("test/directory", result);
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_PathTraversalAttack() {
-        // 测试路径遍历攻击
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("../../etc/passwd");
-        });
-
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("..\\..\\windows\\system32");
-        });
-
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("....//etc/passwd");
-        });
-
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("....\\\\windows\\system32");
-        });
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_UrlEncodedPathTraversal() {
-        // 测试URL编码的路径遍历攻击
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("..%2f..%2fetc%2fpasswd");
-        });
-
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("..%5c..%5cwindows%5csystem32");
-        });
-
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("%2e%2e%2f%2e%2e%2fetc%2fpasswd");
-        });
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_AbsolutePath() {
-        // 测试绝对路径
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("/etc/passwd");
-        });
-
-        assertThrows(ServiceException.class, () -> {
-            PathValidationUtils.validateAndCleanDirectory("C:\\windows\\system32");
-        });
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_ValidComplexPath() {
-        String result = PathValidationUtils.validateAndCleanDirectory("uploads/2024/01/images");
-        assertEquals("uploads/2024/01/images", result);
-    }
-
-    @Test
-    void testValidateAndCleanDirectory_WithDots() {
-        // 测试包含点的路径（但不是路径遍历）
-        String result = PathValidationUtils.validateAndCleanDirectory("my.file.txt");
-        assertEquals("my.file.txt", result);
-    }
-}
\ No newline at end of file