diff --git a/core/src/main/java/org/projectodd/wunderboss/ApplicationRunner.java b/core/src/main/java/org/projectodd/wunderboss/ApplicationRunner.java
index 21f4bbe..bb4a465 100644
--- a/core/src/main/java/org/projectodd/wunderboss/ApplicationRunner.java
+++ b/core/src/main/java/org/projectodd/wunderboss/ApplicationRunner.java
@@ -18,10 +18,7 @@
 
 import org.slf4j.Logger;
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
+import java.io.*;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
@@ -125,7 +122,10 @@ public void run() {
             if (!match) {
                 continue;
             }
-            File file = new File(extractRoot + "/" + name);
+            File file = new File(extractRoot, name);
+            if (!file.toPath().normalize().startsWith(extractRoot)) {
+                throw new IOException("Bad zip entry");
+            }
             if (zipEntry.isDirectory()) {
                 file.mkdirs();
             } else {