diff --git a/branch/compare_branch.rs b/branch/compare_branch.rs
index e3ef994..ec0b5bd 100644
--- a/branch/compare_branch.rs
+++ b/branch/compare_branch.rs
@@ -7,6 +7,8 @@ impl GitBare {
         &self,
         request: CompareBranchRequest,
     ) -> GitResult<CompareBranchResponse> {
+        crate::sanitize::validate_ref_name(&request.source_branch)?;
+        crate::sanitize::validate_ref_name(&request.target_branch)?;
         let repo = self.gix_repo()?;
         let source_ref = format!("refs/heads/{}", request.source_branch);
         let target_ref = format!("refs/heads/{}", request.target_branch);
diff --git a/remote/mirror.rs b/remote/mirror.rs
index 855d329..8e2608f 100644
--- a/remote/mirror.rs
+++ b/remote/mirror.rs
@@ -16,6 +16,13 @@ impl GitBare {
             &request.remote_name
         };
         crate::sanitize::validate_ref_name(remote_name)?;
+
+        const MAX_REFSPECS: usize = 100;
+        if request.refspecs.len() > MAX_REFSPECS {
+            return Err(crate::error::GitError::InvalidArgument(format!(
+                "too many refspecs (max {MAX_REFSPECS})"
+            )));
+        }
         for rs in &request.refspecs {
             crate::sanitize::validate_refspec(rs)?;
         }
@@ -134,6 +141,13 @@ impl GitBare {
             &request.remote_name
         };
         crate::sanitize::validate_ref_name(remote_name)?;
+
+        const MAX_FETCH_REFSPECS: usize = 100;
+        if request.refspecs.len() > MAX_FETCH_REFSPECS {
+            return Err(crate::error::GitError::InvalidArgument(format!(
+                "too many refspecs (max {MAX_FETCH_REFSPECS})"
+            )));
+        }
         for rs in &request.refspecs {
             crate::sanitize::validate_refspec(rs)?;
         }