diff --git a/dpdispatcher/contexts/ssh_context.py b/dpdispatcher/contexts/ssh_context.py
index 8537894d..273d6e15 100644
--- a/dpdispatcher/contexts/ssh_context.py
+++ b/dpdispatcher/contexts/ssh_context.py
@@ -972,6 +972,9 @@ def _get_files(self, files, tar_compress=True):
         self.ssh_session.get(from_f, to_f)
         # extract
         with tarfile.open(to_f, mode=tarfile_mode) as tar:
+            for member in tar.getmembers():
+                if os.path.isabs(member.name) or ".." in member.name:
+                    raise ValueError(f"Illegal tar archive entry: {member.name}")
             tar.extractall(path=self.local_root)
         # cleanup
         os.remove(to_f)