diff --git a/kernel/model/assets.go b/kernel/model/assets.go
index 7e19a826a..da0817852 100644
--- a/kernel/model/assets.go
+++ b/kernel/model/assets.go
@@ -432,7 +432,7 @@ func SearchAssetsByName(keyword string, exts []string) (ret []*cache.Asset) {
 	return
 }
 
-func GetAssetAbsPath(relativePath string) (absPath string, err error) {
+func GetAssetAbsPath(relativePath string) (ret string, err error) {
 	relativePath = strings.TrimSpace(relativePath)
 	if strings.Contains(relativePath, "?") {
 		relativePath = relativePath[:strings.Index(relativePath, "?")]
@@ -455,13 +455,18 @@ func GetAssetAbsPath(relativePath string) (absPath string, err error) {
 			}
 			if p := filepath.ToSlash(path); strings.HasSuffix(p, relativePath) {
 				if gulu.File.IsExist(path) {
-					absPath = path
+					ret = path
 					return io.EOF
 				}
 			}
 			return nil
 		})
-		if "" != absPath {
+
+		if "" != ret {
+			if !util.IsSubPath(util.WorkspaceDir, ret) {
+				err = fmt.Errorf("[%s] is not sub path of workspace", ret)
+				return
+			}
 			return
 		}
 	}
@@ -469,7 +474,11 @@ func GetAssetAbsPath(relativePath string) (absPath string, err error) {
 	// 在全局 assets 路径下搜索
 	p := filepath.Join(util.DataDir, relativePath)
 	if gulu.File.IsExist(p) {
-		absPath = p
+		ret = p
+		if !util.IsSubPath(util.WorkspaceDir, ret) {
+			err = fmt.Errorf("[%s] is not sub path of workspace", ret)
+			return
+		}
 		return
 	}
 	return "", errors.New(fmt.Sprintf(Conf.Language(12), relativePath))
diff --git a/kernel/util/file.go b/kernel/util/file.go
index 5f717553b..690fb9628 100644
--- a/kernel/util/file.go
+++ b/kernel/util/file.go
@@ -190,6 +190,10 @@ func IsSubPath(absPath, toCheckPath string) bool {
 	if 1 > len(absPath) || 1 > len(toCheckPath) {
 		return false
 	}
+	if absPath == toCheckPath { // 相同路径时不认为是子路径
+		return false
+	}
+
 	if gulu.OS.IsWindows() {
 		if filepath.IsAbs(absPath) && filepath.IsAbs(toCheckPath) {
 			if strings.ToLower(absPath)[0] != strings.ToLower(toCheckPath)[0] {
diff --git a/kernel/util/path.go b/kernel/util/path.go
index 8c653a31f..7c44ed9bb 100644
--- a/kernel/util/path.go
+++ b/kernel/util/path.go
@@ -268,9 +268,12 @@ func IsDisplayableAsset(p string) bool {
 
 func GetAbsPathInWorkspace(relPath string) (string, error) {
 	absPath := filepath.Join(WorkspaceDir, relPath)
+	if WorkspaceDir == absPath {
+		return absPath, nil
+	}
+
 	if IsSubPath(WorkspaceDir, absPath) {
 		return absPath, nil
-	} else {
-		return "", os.ErrPermission
 	}
+	return "", os.ErrPermission
 }