diff --git a/src/main/java/com/perye/dokit/utils/ZipUtils.java b/src/main/java/com/perye/dokit/utils/ZipUtils.java
index 13fd48e..0159387 100644
--- a/src/main/java/com/perye/dokit/utils/ZipUtils.java
+++ b/src/main/java/com/perye/dokit/utils/ZipUtils.java
@@ -32,7 +32,10 @@ public static void unZipIt(String zipFilePath, String outputFolder) {
             ZipEntry ze = zis.getNextEntry();
             while (ze != null) {
                 String fileName = ze.getName();
-                File newFile = new File(outputFolder + File.separator + fileName);
+                File newFile = new File(outputFolder, fileName);
+                if (!newFile.toPath().normalize().startsWith(outputFolder)) {
+                    throw new RuntimeException("Bad zip entry");
+                }
                 System.out.println("file unzip : " + newFile.getAbsoluteFile());
                 //大部分网络上的源码，这里没有判断子目录
                 if (ze.isDirectory()) {
@@ -69,6 +72,10 @@ public static void unzip(File source, String out) throws IOException {
 
                 File file = new File(out, entry.getName());
 
+                if (!file.toPath().normalize().startsWith(out)) {
+                    throw new RuntimeException("Bad zip entry");
+                }
+
                 if (entry.isDirectory()) {
                     if (!file.mkdirs()) {
                         System.out.println("was not successful.");