diff --git a/kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/util/StrFilterUtil.java b/kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/util/StrFilterUtil.java
new file mode 100644
index 000000000..de4067f31
--- /dev/null
+++ b/kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/util/StrFilterUtil.java
@@ -0,0 +1,24 @@
+package cn.stylefeng.roses.kernel.rule.util;
+
+import java.util.regex.Pattern;
+
+/**
+ * 字符串过滤工具，主要过滤不合法的请求参数
+ *
+ * @author fengshuonan
+ * @date 2022/9/19 13:37
+ */
+public class StrFilterUtil {
+
+    /**
+     * 过滤文件名
+     *
+     * @author fengshuonan
+     * @date 2022/9/19 13:39
+     */
+    public static String filterFileName(String param) {
+        Pattern fileNamePattern = Pattern.compile("[\\\\/:*?\"<>|\\s]");
+        return fileNamePattern.matcher(param).replaceAll("");
+    }
+
+}
diff --git a/kernel-d-file/file-business/src/main/java/cn/stylefeng/roses/kernel/file/modular/service/impl/SysFileInfoServiceImpl.java b/kernel-d-file/file-business/src/main/java/cn/stylefeng/roses/kernel/file/modular/service/impl/SysFileInfoServiceImpl.java
index 3db277540..7e46050c6 100644
--- a/kernel-d-file/file-business/src/main/java/cn/stylefeng/roses/kernel/file/modular/service/impl/SysFileInfoServiceImpl.java
+++ b/kernel-d-file/file-business/src/main/java/cn/stylefeng/roses/kernel/file/modular/service/impl/SysFileInfoServiceImpl.java
@@ -56,6 +56,7 @@ import cn.stylefeng.roses.kernel.file.modular.mapper.SysFileInfoMapper;
 import cn.stylefeng.roses.kernel.file.modular.service.SysFileInfoService;
 import cn.stylefeng.roses.kernel.file.modular.service.SysFileStorageService;
 import cn.stylefeng.roses.kernel.rule.enums.YesOrNotEnum;
+import cn.stylefeng.roses.kernel.rule.util.StrFilterUtil;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.baomidou.mybatisplus.core.conditions.update.LambdaUpdateWrapper;
 import com.baomidou.mybatisplus.core.toolkit.IdWorker;
@@ -151,7 +152,8 @@ public class SysFileInfoServiceImpl extends ServiceImpl<SysFileInfoMapper, SysFi
         // 拼接文件可直接访问的url
         String fileAuthUrl;
         if (YesOrNotEnum.Y.getCode().equals(sysFileInfoRequest.getSecretFlag())) {
-            fileAuthUrl = fileOperatorApi.getFileAuthUrl(sysFileInfo.getFileBucket(), sysFileInfo.getFileObjectName(), FileConfigExpander.getDefaultFileTimeoutSeconds() * 1000);
+            fileAuthUrl = fileOperatorApi.getFileAuthUrl(sysFileInfo.getFileBucket(), sysFileInfo.getFileObjectName(),
+                    FileConfigExpander.getDefaultFileTimeoutSeconds() * 1000);
         } else {
             fileAuthUrl = fileOperatorApi.getFileUnAuthUrl(sysFileInfo.getFileBucket(), sysFileInfo.getFileObjectName());
         }
@@ -220,7 +222,7 @@ public class SysFileInfoServiceImpl extends ServiceImpl<SysFileInfoMapper, SysFi
         if (ObjectUtil.isNotEmpty(sysFileInfoRequest.getFileCode())) {
             wrapper.or().eq(SysFileInfo::getFileCode, sysFileInfoRequest.getFileCode());
         }
-        
+
         List<SysFileInfo> fileInfos = this.list(wrapper);
 
         // 批量删除
@@ -243,7 +245,8 @@ public class SysFileInfoServiceImpl extends ServiceImpl<SysFileInfoMapper, SysFi
         List<SysFileInfoListResponse> list = this.baseMapper.fileInfoList(page, sysFileInfoRequest);
 
         // 排除defaultAvatar.png这个图片,这个是默认头像
-        List<SysFileInfoListResponse> newList = list.stream().filter(i -> !i.getFileOriginName().equals(FileConstants.DEFAULT_AVATAR_FILE_OBJ_NAME)).collect(Collectors.toList());
+        List<SysFileInfoListResponse> newList = list.stream().filter(i -> !i.getFileOriginName().equals(FileConstants.DEFAULT_AVATAR_FILE_OBJ_NAME))
+                .collect(Collectors.toList());
 
         // 拼接图片url地址
         for (SysFileInfoListResponse sysFileInfoListResponse : newList) {
@@ -373,6 +376,10 @@ public class SysFileInfoServiceImpl extends ServiceImpl<SysFileInfoMapper, SysFi
     @Override
     public void previewByBucketAndObjName(SysFileInfoRequest sysFileInfoRequest, HttpServletResponse response) {
 
+        if (StrUtil.isNotBlank(sysFileInfoRequest.getFileObjectName())) {
+            sysFileInfoRequest.setFileObjectName(StrFilterUtil.filterFileName(sysFileInfoRequest.getFileObjectName()));
+        }
+
         // 判断文件是否需要鉴权，需要鉴权的需要带token访问
         LambdaQueryWrapper<SysFileInfo> wrapper = new LambdaQueryWrapper<>();
         wrapper.eq(SysFileInfo::getFileObjectName, sysFileInfoRequest.getFileObjectName());
@@ -452,7 +459,8 @@ public class SysFileInfoServiceImpl extends ServiceImpl<SysFileInfoMapper, SysFi
             return this.sysFileStorageService.getFileAuthUrl(String.valueOf(fileId));
         } else {
             // 返回第三方存储文件url
-            return fileOperatorApi.getFileAuthUrl(sysFileInfo.getFileBucket(), sysFileInfo.getFileObjectName(), FileConfigExpander.getDefaultFileTimeoutSeconds());
+            return fileOperatorApi.getFileAuthUrl(sysFileInfo.getFileBucket(), sysFileInfo.getFileObjectName(),
+                    FileConfigExpander.getDefaultFileTimeoutSeconds());
         }
     }