diff --git a/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt b/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt
index 8d629d190..7efa73e82 100644
--- a/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt
+++ b/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt
@@ -215,6 +215,10 @@ internal class WorkspaceServiceImpl(
       throw IllegalArgumentException("Invalid destination: '$destination'. '..' is not allowed")
     }
     val workspace = getVerifiedWorkspace(organizationId, workspaceId, PERMISSION_WRITE)
+    if (file?.filename?.contains("..") == true || file?.filename?.contains("/") == true) {
+      throw IllegalArgumentException(
+          "Invalid filename: '${file.filename}'. '..' and '/' are not allowed")
+    }
 
     logger.debug(
         "Uploading file resource to workspace #{} ({}): {} => {}",