diff --git a/src/main/java/org/apache/ibatis/migration/io/DefaultVFS.java b/src/main/java/org/apache/ibatis/migration/io/DefaultVFS.java
index 5e9aa84c..f571e10e 100644
--- a/src/main/java/org/apache/ibatis/migration/io/DefaultVFS.java
+++ b/src/main/java/org/apache/ibatis/migration/io/DefaultVFS.java
@@ -80,7 +80,16 @@ public List<String> list(URL url, String path) throws IOException {
                 if (log.isLoggable(Level.FINER)) {
                   log.log(Level.FINER, "Jar entry: " + entry.getName());
                 }
-                children.add(entry.getName());
+                String entryName = entry.getName();
+                File entryFile = new File(path, entryName).getCanonicalFile();
+                File baseDir = new File(path).getCanonicalFile();
+                if (!entryFile.toPath().startsWith(baseDir.toPath())) {
+                  if (log.isLoggable(Level.WARNING)) {
+                    log.log(Level.WARNING, "Skipping potentially unsafe entry: " + entryName);
+                  }
+                  continue;
+                }
+                children.add(entryName);
               }
             }
           } else {