diff --git a/lib/builder_web.ml b/lib/builder_web.ml
index 5acae36..7ac54cb 100644
--- a/lib/builder_web.ml
+++ b/lib/builder_web.ml
@@ -2,11 +2,17 @@ let src = Logs.Src.create "builder-web" ~doc:"Builder_web"
 module Log = (val Logs.src_log src : Logs.LOG)
 
 open Opium
+open Rresult.R.Infix
 
 type t = Model.t = {
   dir : Fpath.t
 }
 
+let safe_seg path =
+  if Fpath.is_seg path && not (Fpath.is_rel_seg path)
+  then Ok (Fpath.v path)
+  else Rresult.R.error_msgf "unsafe path %S" path
+
 let routes (t : Model.t) =
   let builder _req =
     match Model.jobs t with
@@ -20,19 +26,22 @@ let routes (t : Model.t) =
 
   let job req =
     let job = Router.param req "job" in
-    match Model.job t (Fpath.v job) with
+    match safe_seg job >>= fun job ->
+      Model.job t job with
+    | Ok job ->
+      Views.job job |> Response.of_html |> Lwt.return
     | Error (`Msg e) ->
       Log.warn (fun m -> m "Error getting job: %s" e);
       Response.of_plain_text ~status:`Internal_server_error
         "Error getting job" |> Lwt.return
-    | Ok job ->
-      Views.job job |> Response.of_html |> Lwt.return
   in
 
   let job_run req =
     let job = Router.param req "job"
     and run = Router.param req "run" in
-    match Model.read_full t (Fpath.v job) (Fpath.v run) with
+    match safe_seg job >>= fun job ->
+      safe_seg run >>= fun run ->
+      Model.read_full t job run with
     | Error (`Msg e) ->
       Log.warn (fun m -> m "Error getting job run: %s" e);
       Response.of_plain_text ~status:`Internal_server_error