diff --git a/adapter/provider/parser.go b/adapter/provider/parser.go
index 6907fc69..57dc6e24 100644
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@@ -108,6 +108,9 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	switch schema.Type {
 	case "file":
 		path := C.Path.Resolve(schema.Path)
+		if !C.Path.IsSafePath(path) {
+			return nil, C.Path.ErrNotSafePath(path)
+		}
 		vehicle = resource.NewFileVehicle(path)
 	case "http":
 		path := C.Path.GetPathByHash("proxies", schema.URL)
diff --git a/rules/provider/parse.go b/rules/provider/parse.go
index 5fa98dc7..496a2a09 100644
--- a/rules/provider/parse.go
+++ b/rules/provider/parse.go
@@ -42,6 +42,9 @@ func ParseRuleProvider(name string, mapping map[string]any, parse common.ParseRu
 	switch schema.Type {
 	case "file":
 		path := C.Path.Resolve(schema.Path)
+		if !C.Path.IsSafePath(path) {
+			return nil, C.Path.ErrNotSafePath(path)
+		}
 		vehicle = resource.NewFileVehicle(path)
 	case "http":
 		path := C.Path.GetPathByHash("rules", schema.URL)