diff --git a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java
index d7aeb296..9fee6182 100644
--- a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java
+++ b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java
@@ -56,7 +56,7 @@ public class AppServiceImpl implements AppService {
 
     @Override
     public AppDto findById(Long id) {
-		App app = appRepository.findById(id).orElseGet(App::new);
+        App app = appRepository.findById(id).orElseGet(App::new);
         ValidationUtil.isNull(app.getId(),"App","id",id);
         return appMapper.toDto(app);
     }
@@ -64,6 +64,11 @@ public class AppServiceImpl implements AppService {
     @Override
     @Transactional(rollbackFor = Exception.class)
     public void create(App resources) {
+        // 验证应用名称是否存在恶意攻击payload，https://github.com/elunez/eladmin/issues/873
+        String appName = resources.getName();
+        if (appName.contains(";") || appName.contains("|") || appName.contains("&")) {
+            throw new IllegalArgumentException("非法的应用名称，请勿包含[; | &]等特殊字符");
+        }
         verification(resources);
         appRepository.save(resources);
     }
@@ -71,6 +76,11 @@ public class AppServiceImpl implements AppService {
     @Override
     @Transactional(rollbackFor = Exception.class)
     public void update(App resources) {
+        // 验证应用名称是否存在恶意攻击payload，https://github.com/elunez/eladmin/issues/873
+        String appName = resources.getName();
+        if (appName.contains(";") || appName.contains("|") || appName.contains("&")) {
+            throw new IllegalArgumentException("非法的应用名称，请勿包含[; | &]等特殊字符");
+        }
         verification(resources);
         App app = appRepository.findById(resources.getId()).orElseGet(App::new);
         ValidationUtil.isNull(app.getId(),"App","id",resources.getId());
diff --git a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java
index 41a25988..350cff2e 100644
--- a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java
+++ b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java
@@ -263,9 +263,13 @@ public class DeployServiceImpl implements DeployService {
 		return "执行完毕";
 	}
 
-	private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto appDTO) {
-		String result = executeShellUtil.executeForResult("find " + appDTO.getDeployPath() + " -name " + appDTO.getName());
-		return result.indexOf(appDTO.getName())>0;
+	private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto app) {
+		String deployPath = app.getDeployPath();
+		String appName = app.getName();
+		// 使用安全的命令执行方式，避免直接拼接字符串，https://github.com/elunez/eladmin/issues/873
+		String[] command = {"find", deployPath, "-name", appName};
+		String result = executeShellUtil.executeForResult(Arrays.toString(command));
+		return result.contains(appName);
 	}
 
 	/**