diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
index 683a8b5..2f2ed8f 100644
--- a/src/main/java/org/testng/JarFileUtils.java
+++ b/src/main/java/org/testng/JarFileUtils.java
@@ -77,6 +77,9 @@ class JarFileUtils {
         if (Parser.canParse(jeName.toLowerCase())) {
           InputStream inputStream = jf.getInputStream(je);
           File copyFile = new File(file, jeName);
+          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+          }
           Files.copyFile(inputStream, copyFile);
           if (matchesXmlPathInJar(je)) {
             suitePath = copyFile.toString();