diff --git a/interfaces/kits/js/src/mod_fs/properties/copy.cpp b/interfaces/kits/js/src/mod_fs/properties/copy.cpp
index ba09491ce974dfd8590e8fdc212882d78f2488a5..e8c00ccd03abafea706d2fd948ba06364ab32042 100644
--- a/interfaces/kits/js/src/mod_fs/properties/copy.cpp
+++ b/interfaces/kits/js/src/mod_fs/properties/copy.cpp
@@ -704,6 +704,27 @@ void Copy::CloseNotifyFdLocked(std::shared_ptr<FileInfos> infos, std::shared_ptr
     CloseNotifyFd(infos, callback);
 }
 
+static bool CheckRealPath(string path, string parent)
+{
+    char resolvedPath[PATH_MAX + 1];
+    if (realpath(path.c_str(), resolvedPath) == nullptr) {
+        return false;
+    }
+    std::string normalizedPath(resolvedPath);
+    char resolvedParent[PATH_MAX + 1];
+    if (realpath(parent.c_str(), resolvedParent) == nullptr) {
+        return false;
+    }
+    std::string normalizedParent(resolvedParent);
+    if (normalizedParent.back() != '/') {
+        normalizedParent += '/';
+    }
+    if (normalizedPath.find(normalizedParent) != 0) {
+        return false;
+    }
+    return true;
+}
+
 tuple<bool, int, bool> Copy::HandleProgress(
     inotify_event *event, std::shared_ptr<FileInfos> infos, std::shared_ptr<JsCallbackObject> callback)
 {
@@ -717,6 +738,9 @@ tuple<bool, int, bool> Copy::HandleProgress(
     std::string fileName = receivedInfo->path;
     if (!infos->isFile) { // files under subdir
         fileName += "/" + string(event->name);
+        if (!CheckRealPath(fileName, receivedInfo->path)) {
+            return { true, EINVAL, false };
+        }
         if (!CheckFileValid(fileName, infos)) {
             return { true, EINVAL, false };
         }