diff --git a/kernel/api/file.go b/kernel/api/file.go
index 307ae38cb..b0890313b 100644
--- a/kernel/api/file.go
+++ b/kernel/api/file.go
@@ -141,6 +141,14 @@ func copyFile(c *gin.Context) {
 	}
 
 	dest := arg["dest"].(string)
+	if util.IsSensitivePath(dest) {
+		msg := fmt.Sprintf("refuse to copy sensitive file [%s]", dest)
+		logging.LogErrorf(msg)
+		ret.Code = -2
+		ret.Msg = msg
+		return
+	}
+
 	if err = filelock.Copy(src, dest); err != nil {
 		logging.LogErrorf("copy file [%s] to [%s] failed: %s", src, dest, err)
 		ret.Code = -1
diff --git a/kernel/util/path.go b/kernel/util/path.go
index 6fae2db3a..7cf834497 100644
--- a/kernel/util/path.go
+++ b/kernel/util/path.go
@@ -373,6 +373,7 @@ func IsSensitivePath(p string) bool {
 		"/etc/ssh",
 		"/root",
 		"/etc/ssl",
+		"/etc/cron.d/",
 		"/etc/letsencrypt",
 		"/var/lib/docker",
 		"/.gnupg",
@@ -404,6 +405,7 @@ func IsSensitivePath(p string) bool {
 	base := filepath.Base(pp)
 	n := strings.ToLower(base)
 	sensitiveNames := map[string]struct{}{
+		".bashrc":         {},
 		".env":            {},
 		".env.local":      {},
 		".npmrc":          {},