fix：Fix Market Invitation Anomaly and URL Authentication Vulnerability

[maomeideliu]

📝 Pull Request 描述 | Description

🎯 变更类型 | Change Type

• ✨ 新功能 | New Feature
• 🐛 Bug 修复 | Bug Fix
• 📚 文档更新 | Documentation
• 🎨 代码格式/样式 | Code Style
• ♻️ 重构 | Refactoring
• ⚡ 性能优化 | Performance
• ✅ 测试相关 | Tests
• 🔧 配置变更 | Configuration
• 🔨 构建/CI | Build/CI
• 🌐 国际化 | Internationalization
• ⬆️ 依赖升级 | Dependencies Update

---

🔗 相关 Issue | Related Issues

• Closes #
• Related to #

---

📋 变更内容 | Changes Made

主要变更 | Main Changes

技术细节 | Technical Details

---

🧪 测试 | Testing

测试环境 | Test Environment

• Windows 10/11
• Linux
• macOS
• Docker

测试步骤 | Test Steps

测试结果 | Test Results

---

📸 截图/录屏 | Screenshots/Recordings

变更前 | Before

变更后 | After

---

⚠️ 破坏性变更 | Breaking Changes

• 此 PR 包含破坏性变更 | This PR contains breaking changes

破坏性变更详情 | Breaking Changes Details

---

✅ 检查清单 | Checklist

代码质量 | Code Quality

• 代码遵循项目的编码规范 | Code follows project coding standards
• 已进行自我代码审查 | Self-reviewed the code
• 代码有适当的注释（特别是复杂逻辑）| Code has appropriate comments (especially for complex logic)
• 更新了相关文档 | Updated relevant documentation
• 没有产生新的警告 | No new warnings generated

测试 | Testing

• 添加了相应的测试用例 | Added corresponding test cases
• 所有测试通过 | All tests pass
• 手动测试验证通过 | Manual testing verification passed

文档 | Documentation

• 更新了 README（如需要）| Updated README (if needed)
• 更新了 API 文档（如需要）| Updated API documentation (if needed)
• 更新了用户指南（如需要）| Updated user guide (if needed)
• 更新了 CHANGELOG（如需要）| Updated CHANGELOG (if needed)

其他 | Others

• 已与相关利益方沟通 | Communicated with relevant stakeholders
• 不影响现有功能 | Does not affect existing functionality
• 考虑了向后兼容性 | Considered backward compatibility
• 考虑了性能影响 | Considered performance impact
• 考虑了安全性 | Considered security

---

📌 额外说明 | Additional Notes

---

🙏 致谢 | Acknowledgements

---

📖 提示 | Tips:

• 确保 PR 标题简洁明了，使用动词开头（例如：Add, Fix, Update, Remove）
• Ensure PR title is concise and clear, starting with a verb (e.g., Add, Fix, Update, Remove)
• 尽量保持 PR 的改动范围小而集中，便于审查
• Try to keep PR changes small and focused for easier review
• 遵循项目的分支管理策略
• Follow the project's branch management strategy

---

/cc @maintainers

[gemini-code-assist]

Code Review

This pull request introduces tenant validation when accepting team invitations in NotifySendServiceImpl to prevent data being written to the wrong tenant after switching accounts. It also enhances path traversal protection in AuthenticationFilter by decoding, normalizing, and validating request paths, while removing static resource path bypasses. The review feedback suggests validating special characters like semicolons and backslashes before path normalization to prevent bypasses, and recommends using the non-deprecated URLDecoder.decode overload with StandardCharsets.UTF_8.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

在进行路径归一化（cleanPath）之前，应该先校验分号（;）和反斜杠（\\）等特殊字符。因为如果这些字符存在于会被 cleanPath 解析并移除的路径片段中（例如 /api/rpa-auth/private;/../login），归一化后的路径将不再包含这些字符，从而可能绕过安全检查。在归一化前进行校验可以确保更高的安全性。

        // 在归一化前校验分号和反斜杠，避免其在 cleanPath 过程中被清除或绕过
        if (decodedPath.contains(";") || decodedPath.contains("\\")) {
            return false;
        }

        // 归一化路径，解析掉 . 与 .. 等穿越序列
        // 例如 /api/rpa-auth/login/../dept/current 会被归一化为 /api/rpa-auth/dept/current
        String path = org.springframework.util.StringUtils.cleanPath(decodedPath);

        // 归一化后仍残留 ..（如越过根路径），视为非法路径，一律不放行
        if (path.contains("../") || path.contains("..\\")) {
            return false;
        }

[gemini-code-assist]

建议使用 java.net.URLDecoder.decode(rawPath, java.nio.charset.StandardCharsets.UTF_8) 代替已弃用的 URLDecoder.decode(String, String) 方法。这样可以避免使用已弃用的 API，并且不需要处理 UnsupportedEncodingException 异常。

Suggested change

	decodedPath = java.net.URLDecoder.decode(rawPath, "UTF-8");
	decodedPath = java.net.URLDecoder.decode(rawPath, java.nio.charset.StandardCharsets.UTF_8);