diff --git a/src/main/java/io/sightly/tck/TCK.java b/src/main/java/io/sightly/tck/TCK.java index 35e1cfd..307f1b8 100644 --- a/src/main/java/io/sightly/tck/TCK.java +++ b/src/main/java/io/sightly/tck/TCK.java @@ -125,6 +125,9 @@ private void extract(String extractDir) throws IOException { String entryName = entry.getName(); if (entryName.startsWith(TESTFILES)) { File file = new File(extractFolder, entryName); + if (!file.toPath().normalize().startsWith(extractFolder.toPath().normalize())) { + throw new IOException("Bad zip entry"); + } if (entry.isDirectory()) { if (!file.mkdir()) { throw new IOException("Unable to create folder " + file.getAbsolutePath());