diff --git a/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java b/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java
index e8e3359..4096d3a 100644
--- a/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java
+++ b/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java
@@ -99,8 +99,10 @@ public static void extractZip(final ZipInputStream zis, final File destDir)
             LOGGER.logp(Level.FINER, "ZipUtil", "extractZip",
                     "ZipEntry name = {0}, size = {1}",
                     new Object[]{ze.getName(), ze.getSize()});
-            java.io.File f = new java.io.File(destDir + java.io.File.separator
-                    + ze.getName());
+            java.io.File f = new File(destDir, ze.getName());
+            if (!f.toPath().normalize().startsWith(destDir.toPath().normalize())) {
+                throw new IOException("Bad zip entry");
+            }
             if (ze.isDirectory()) {
                 if (!f.exists()) {
                     if (!f.mkdirs()) {