diff --git a/internal/batches/service/service_test.go b/internal/batches/service/service_test.go
index c550cafd6d..da877edc33 100644
--- a/internal/batches/service/service_test.go
+++ b/internal/batches/service/service_test.go
@@ -594,6 +594,26 @@ changesetTemplate:
 `,
 			expectedErr: errors.New("handling mount: step 1 mount path is not in the same directory or subdirectory as the batch spec"),
 		},
+		{
+			name:         "files target path with comma",
+			batchSpecDir: tempDir,
+			rawSpec: `
+name: test-spec
+description: A test spec
+steps:
+  - run: echo "hello"
+    container: alpine:3
+    files:
+      "/tmp/x,source=/var/run/docker.sock,target=/var/run/docker.sock": "IGNORED"
+changesetTemplate:
+  title: Test Files
+  body: Test files target path with comma
+  branch: test
+  commit:
+    message: Test
+`,
+			expectedErr: errors.New("parsing batch spec: step 1 files target path contains invalid characters"),
+		},
 		{
 			name:         "mount path dot-dot traversal",
 			batchSpecDir: tempDir,
diff --git a/lib/batches/batch_spec.go b/lib/batches/batch_spec.go
index e558c286f4..a9ccc6e146 100644
--- a/lib/batches/batch_spec.go
+++ b/lib/batches/batch_spec.go
@@ -169,19 +169,24 @@ func parseBatchSpec(schema string, data []byte) (*BatchSpec, error) {
 
 	for i, step := range spec.Steps {
 		for _, mount := range step.Mount {
-			if strings.Contains(mount.Path, invalidMountCharacters) {
+			if strings.ContainsAny(mount.Path, invalidMountCharacters) {
 				errs = errors.Append(errs, NewValidationError(errors.Newf("step %d mount path contains invalid characters", i+1)))
 			}
-			if strings.Contains(mount.Mountpoint, invalidMountCharacters) {
+			if strings.ContainsAny(mount.Mountpoint, invalidMountCharacters) {
 				errs = errors.Append(errs, NewValidationError(errors.Newf("step %d mount mountpoint contains invalid characters", i+1)))
 			}
 		}
+		for name := range step.Files {
+			if strings.ContainsAny(name, invalidMountCharacters) {
+				errs = errors.Append(errs, NewValidationError(errors.Newf("step %d files target path contains invalid characters", i+1)))
+			}
+		}
 	}
 
 	return &spec, errs
 }
-
-const invalidMountCharacters = ","
+// docker uses Golang's `encoding/csv` library to parse arguments passed to `--mount`
+const invalidMountCharacters = ",\"\n\r"
 
 func (on *OnQueryOrRepository) String() string {
 	if on.RepositoriesMatchingQuery != "" {