GitLab: Arbitrary file read via the bulk imports UploadsPipeline

Summary The bulk imports api does not remove symlinks when untaring the uploads.tar.gz file, allowing arbitrary files to be read and uploaded when importing a group. When a group has uploads such as markdown attachments, an uploads.tar.gz file will be downloaded and extracted in the...