[GitLab] Arbitrary file read via the bulk imports UploadsPipeline ($29000 USD)
We discussed this vulnerability during Episode 131 on 28 March 2022
The bulk import API when importing a group would, if the group had any uploads, download the uploads.tar.gz
and extract it including any symlinks. When the extracted files are later listed, viewing any of the symlinked files will result in the symlink being followed and arbitrary files being read from outside the upload directory.