diff --git a/cli/src/gcp/gcp.ts b/cli/src/gcp/gcp.ts
index 296bc5ce..4f6cafce 100644
--- a/cli/src/gcp/gcp.ts
+++ b/cli/src/gcp/gcp.ts
@@ -920,6 +920,10 @@ export async function runServerCapture(cmd: string, timeoutSecs?: number): Promi
 }
 
 export async function uploadFile(localPath: string, remotePath: string): Promise<void> {
+  if (!/^[a-zA-Z0-9/_.~$-]+$/.test(remotePath) || remotePath.includes("..")) {
+    logError(`Invalid remote path: ${remotePath}`);
+    throw new Error("Invalid remote path");
+  }
   const username = resolveUsername();
   // Expand $HOME on remote side
   const expandedPath = remotePath.replace(/^\$HOME/, "~");