diff --git a/javaparser-core-testing/src/test/java/com/github/javaparser/utils/TestUtils.java b/javaparser-core-testing/src/test/java/com/github/javaparser/utils/TestUtils.java
index fa880bf4d..b2bfda6fb 100644
--- a/javaparser-core-testing/src/test/java/com/github/javaparser/utils/TestUtils.java
+++ b/javaparser-core-testing/src/test/java/com/github/javaparser/utils/TestUtils.java
@@ -177,6 +177,9 @@ public static void unzip(Path zipFile, Path outputFolder) throws IOException {
 
             while (ze != null) {
                 final Path newFile = outputFolder.resolve(ze.getName());
+                if (!newFile.normalize().startsWith(outputFolder.normalize())) {
+                    throw new IOException("Bad zip entry");
+                }
 
                 if (ze.isDirectory()) {
                     Log.trace("mkdir %s", newFile::toAbsolutePath);