diff --git a/back/api/config.ts b/back/api/config.ts
index 55c740fd..3fe3f463 100644
--- a/back/api/config.ts
+++ b/back/api/config.ts
@@ -78,6 +78,12 @@ export default (app: Router) => {
         if (name.startsWith('data/scripts/')) {
           path = join(config.rootPath, name);
         }
+        if (
+          !path.startsWith(config.configPath) &&
+          !path.startsWith(config.scriptPath)
+        ) {
+          return res.send({ code: 403, message: '文件路径无效' });
+        }
         await writeFileWithLock(path, content);
         res.send({ code: 200, message: '保存成功' });
       } catch (e) {
diff --git a/back/config/util.ts b/back/config/util.ts
index c4842d92..ff1aa544 100644
--- a/back/config/util.ts
+++ b/back/config/util.ts
@@ -262,7 +262,10 @@ export async function readDir(
   baseDir: string = '',
   blacklist: string[] = [],
 ): Promise<IFile[]> {
-  const absoluteDir = path.join(baseDir, dir);
+  const absoluteDir = path.resolve(baseDir, dir);
+  if (!absoluteDir.startsWith(path.resolve(baseDir))) {
+    return [];
+  }
   const relativePath = path.relative(baseDir, absoluteDir);
 
   try {