diff --git a/services/clsi/app.coffee b/services/clsi/app.coffee
index 7412c7f7ec..c7bbd8cf64 100644
--- a/services/clsi/app.coffee
+++ b/services/clsi/app.coffee
@@ -36,6 +36,12 @@ app.use (req, res, next) ->
 	res.setTimeout TIMEOUT
 	next()
 
+app.param 'project_id', (req, res, next, project_id) ->
+	if project_id?.match /^[a-zA-Z0-9_-]+$/
+		next()
+	else
+		next new Error("invalid project id")
+
 app.post   "/project/:project_id/compile", bodyParser.json(limit: "5mb"), CompileController.compile
 app.delete "/project/:project_id", CompileController.clearCache