diff --git a/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java b/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java
index d3d1acb..f57cac3 100644
--- a/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java
+++ b/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java
@@ -44,6 +44,9 @@ public static void unzip(final File zipFile, final File destination) throws IOEx
             while ((entry = in.getNextEntry()) != null) {
                 final String path = entry.getName();
                 final File file = new File(destination, path);
+                if (!file.toPath().normalize().startsWith(destination.toPath().normalize())) {
+                    throw new IOException("Bad zip entry");
+                }
 
                 if (entry.isDirectory()) {
                     continue;