The bulk import API when importing a group would, if the group had any uploads, download the uploads.tar.gz and extract it including any symlinks. When the extracted files are later listed, viewing any of the symlinked files will result in the symlink being followed and arbitrary files being read from outside the upload directory.