diff --git a/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java b/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java
index 318fd8246658..7d7547f12f04 100755
--- a/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java
+++ b/web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java
@@ -184,9 +184,14 @@ protected static boolean addZippedTestModules(InputStream in) {
 					
 					//delete all previously added modules in case of prior test installations
 					FileUtils.cleanDirectory(moduleRepository);
+
+					final File zipEntryFile = new File(moduleRepository, fileName);
+
+					if (!zipEntryFile.toPath().normalize().startsWith(moduleRepository.toPath().normalize())) {
+						throw new IOException("Bad zip entry");
+					}
 					
-					OpenmrsUtil.copyFile(zipFile.getInputStream(entry), new BufferedOutputStream(new FileOutputStream(
-				        new File(moduleRepository, fileName))));
+					OpenmrsUtil.copyFile(zipFile.getInputStream(entry), new BufferedOutputStream(new FileOutputStream(zipEntryFile)));
 				} else {
 					log.debug("Ignoring file that is not a .omod '{}'", fileName);
 				}