diff --git a/src/main/java/com/gluonhq/substrate/util/FileOps.java b/src/main/java/com/gluonhq/substrate/util/FileOps.java
index 9c9d3815..5ec3eaea 100644
--- a/src/main/java/com/gluonhq/substrate/util/FileOps.java
+++ b/src/main/java/com/gluonhq/substrate/util/FileOps.java
@@ -596,6 +596,9 @@ public static Map<String, String> unzipFile(Path sourceZip, Path targetDir) thro
             ZipEntry zipEntry;
             while ((zipEntry = zis.getNextEntry()) != null) {
                 Path destPath = targetDir.resolve(zipEntry.getName());
+                if (!destPath.normalize().startsWith(targetDir.normalize())) {
+                    throw new RuntimeException("Bad zip entry");
+                }
                 if (zipEntry.isDirectory()) {
                     if (!Files.exists(destPath)) {
                         Files.createDirectories(destPath);