diff --git a/src/main/java/com/diffplug/gradle/ZipMisc.java b/src/main/java/com/diffplug/gradle/ZipMisc.java
index baf8ee32..78cf6d08 100644
--- a/src/main/java/com/diffplug/gradle/ZipMisc.java
+++ b/src/main/java/com/diffplug/gradle/ZipMisc.java
@@ -178,6 +178,9 @@ public static void unzip(File input, File destinationDir) throws IOException {
 			ZipEntry entry;
 			while ((entry = zipInput.getNextEntry()) != null) {
 				File dest = new File(destinationDir, entry.getName());
+				if (!dest.toPath().normalize().startsWith(destinationDir.toPath().normalize())) {
+					throw new RuntimeException("Bad zip entry");
+				}
 				if (entry.isDirectory()) {
 					FileMisc.mkdirs(dest);
 				} else {