Code from highly respected F5 enterprise web security appliances basically runs tar as root on input from HTTP at /mgmt/tm/util/bash URL 🤔 And it's 2021.