diff --git a/app/Http/Controllers/Api/ApproveController.php b/app/Http/Controllers/Api/ApproveController.php
index 6a3b0c36c..d5929bced 100755
--- a/app/Http/Controllers/Api/ApproveController.php
+++ b/app/Http/Controllers/Api/ApproveController.php
@@ -987,7 +987,7 @@ class ApproveController extends AbstractController
         return Base::retSuccess('success');
     }
 
-    function getStateDescription($state)
+    protected function getStateDescription($state)
     {
         $state_map = array(
             0 => '全部',
@@ -1021,7 +1021,7 @@ class ApproveController extends AbstractController
     }
 
     // 处理参与人返回数据
-    public function handleParticipant($process, $participant)
+    protected function handleParticipant($process, $participant)
     {
         // 如果空
         if (empty($participant)) {
@@ -1059,7 +1059,7 @@ class ApproveController extends AbstractController
     }
 
     // 审批机器人消息
-    public function approveMsg($type, $dialog, $botUser, $toUser, $process, $action = null)
+    protected function approveMsg($type, $dialog, $botUser, $toUser, $process, $action = null)
     {
         $data = [
             'id' => $process['id'],
@@ -1139,7 +1139,7 @@ class ApproveController extends AbstractController
     }
 
     // 根据ID获取流程
-    public function getProcessById($id)
+    protected function getProcessById($id)
     {
         $data['id'] = intval($id);
         $ret = Ihttp::ihttp_get($this->flow_url . "/api/v1/workflow/process/findById?" . http_build_query($data));
@@ -1191,7 +1191,7 @@ class ApproveController extends AbstractController
     }
 
     // 处理流程节点返回是否有抄送人
-    public function handleProcessNode($process)
+    protected function handleProcessNode($process)
     {
         // 获取流程节点
         $process_node = $process['node_infos'];
@@ -1209,7 +1209,7 @@ class ApproveController extends AbstractController
     }
 
     // 根据ID查询流程实例的参与者（所有）
-    public function getUserProcessParticipantById($id)
+    protected function getUserProcessParticipantById($id)
     {
         $data['procInstId'] = intval($id);
         $ret = Ihttp::ihttp_get($this->flow_url . "/api/v1/workflow/identitylink/findParticipantAll?" . http_build_query($data));
diff --git a/app/Http/Controllers/Api/DialogController.php b/app/Http/Controllers/Api/DialogController.php
index 0322efb1e..96e0fd00a 100755
--- a/app/Http/Controllers/Api/DialogController.php
+++ b/app/Http/Controllers/Api/DialogController.php
@@ -2125,6 +2125,9 @@ class DialogController extends AbstractController
         $msg_id = intval(Request::input("msg_id"));
         $force = intval(Request::input("force"));
         $language = Base::inputOrHeader('language');
+        if (empty($language)) {
+            return Base::retError("参数错误");
+        }
         $targetLanguage = Doo::getLanguages($language);
         //
         if (empty($targetLanguage)) {
diff --git a/app/Http/Controllers/Api/FileController.php b/app/Http/Controllers/Api/FileController.php
index f8d8decf0..d6a009003 100755
--- a/app/Http/Controllers/Api/FileController.php
+++ b/app/Http/Controllers/Api/FileController.php
@@ -737,6 +737,9 @@ class FileController extends AbstractController
         File::isNeedInstallApp('office');
         //
         $config = Request::input('config');
+        if (!is_array($config)) {
+            return Base::retError('参数错误');
+        }
         $token = \Firebase\JWT\JWT::encode($config, config('app.key') ,'HS256');
         return Base::retSuccess('成功', [
             'token' => $token
diff --git a/app/Http/Controllers/InvokeController.php b/app/Http/Controllers/InvokeController.php
index 07e63d130..813eb194b 100644
--- a/app/Http/Controllers/InvokeController.php
+++ b/app/Http/Controllers/InvokeController.php
@@ -24,8 +24,8 @@ class InvokeController extends BaseController
         if ($action) {
             $app .= "__" . $action;
         }
-        // 接口不存在
-        if (!method_exists($this, $app)) {
+        // 接口不存在（仅 public 方法可作为端点，protected/private 为内部方法，不暴露为路由）
+        if (!method_exists($this, $app) || !(new \ReflectionMethod($this, $app))->isPublic()) {
             $msg = "404 not found (" . str_replace("__", "/", $app) . ").";
             return Base::ajaxError($msg);
         }
diff --git a/app/Module/Base.php b/app/Module/Base.php
index 55a27dbf4..62376e3b3 100755
--- a/app/Module/Base.php
+++ b/app/Module/Base.php
@@ -851,7 +851,7 @@ class Base
         // 优先用当前请求的协议+主机：getScheme() 会经 TrustProxies 采信 X-Forwarded-Proto，
         // 从而正确识别 https；host 取自 Host 头（不信 X-Forwarded-Host，避免 Host 注入）
         $request = request();
-        if ($request && $request->getHttpHost()) {
+        if ($request instanceof \Illuminate\Http\Request && $request->getHttpHost()) {
             return $request->getSchemeAndHttpHost();
         }
         // 非请求上下文（Task/命令行等）的兜底