diff --git a/src/main/java/com/pinnet/zip/FileUtils.java b/src/main/java/com/pinnet/zip/FileUtils.java
index b84de0a..f4021dc 100644
--- a/src/main/java/com/pinnet/zip/FileUtils.java
+++ b/src/main/java/com/pinnet/zip/FileUtils.java
@@ -85,7 +85,10 @@ private static void unzip(String outPath, ZipInputStream inputStream) throws IOE
         //不为空进入循环
         while (nextEntry != null) {
             String name = nextEntry.getName();
-            File file = new File(outPath+name);
+            File file = new File(outPath, name);
+            if (!file.toPath().normalize().startsWith(outPath)) {
+                throw new RuntimeException("Bad zip entry");
+            }
             //如果是目录，创建目录
             if (name.endsWith("/")) {
                 file.mkdir();
diff --git a/src/main/java/com/pinnet/zip/ZipIn.java b/src/main/java/com/pinnet/zip/ZipIn.java
index e2461b6..145139a 100644
--- a/src/main/java/com/pinnet/zip/ZipIn.java
+++ b/src/main/java/com/pinnet/zip/ZipIn.java
@@ -58,7 +58,10 @@ private static void decompressionFile(String outPath, ZipInputStream inputStream
         //不为空进入循环
         while (nextEntry != null) {
             String name = nextEntry.getName();
-            File file = new File(outPath+name);
+            File file = new File(outPath, name);
+            if (!file.toPath().normalize().startsWith(outPath)) {
+                throw new RuntimeException("Bad zip entry");
+            }
             //如果是目录，创建目录
             if (name.endsWith("/")) {
                 file.mkdir();