diff --git a/twill-ext/src/main/java/org/apache/twill/ext/BundledJarRunner.java b/twill-ext/src/main/java/org/apache/twill/ext/BundledJarRunner.java
index 4b8641e..49a13b4 100644
--- a/twill-ext/src/main/java/org/apache/twill/ext/BundledJarRunner.java
+++ b/twill-ext/src/main/java/org/apache/twill/ext/BundledJarRunner.java
@@ -128,6 +128,9 @@ private void unJar(JarFile jarFile, File targetDirectory) throws IOException {
     while (entries.hasMoreElements()) {
       JarEntry entry = entries.nextElement();
       File output = new File(targetDirectory, entry.getName());
+      if (!output.toPath().normalize().startsWith(targetDirectory.toPath().normalize())) {
+        throw new IOException("Bad zip entry");
+      }
 
       if (entry.isDirectory()) {
         output.mkdirs();