Restore: stale symlink can cause out-of-repo write (CWE-59)

Please describe what you are doing to trigger the bug:

Migrating my revisions out of duplicacy and into restic. :slight_smile:

In this case, revision 1 created /repo/etc/resolv.conf which was an absolute symlink resolving outside of the repository. Revision 2 then restored /repo/etc/resolv.conf, which was a regular file. Rather than replace the symlink located at /repo/etc/resolv.conf, duplicacy followed the symlink, overwriting the target (which happened to live outside of the repository). Oops.

Please describe what you expect to happen (but doesn’t):

(1) Never blindly follow symlinks during restore
(2) Definitely don’t ever write outside of the repository root during a restore

The restore behavior in general surrounding this situation (on-disk object is different type than revision object) is inconsistent at best, just plan buggy at worst. For example, even with -overwrite and -delete, duplicacy will not replace a non-empty on-disk directory with a file during a restore. So in some cases, it’s actually impossible to get duplicacy to restore a repository to a particular revision state.

But for now, it should at least not overwrite non-repository files. :upside_down_face: