fix(cp): fix root path validation and uid/gid preservation

- Fix sanitizeTarPath to handle root '/' as destination correctly
- Remove omitempty from Uid/Gid fields so 0 values (root ownership) are sent to server
- Update hypeman-go dependency with symlink fixes

Author: rgarcia

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gorilla/websocket v1.5.3
 	github.com/itchyny/json2yaml v0.1.4
 	github.com/muesli/reflow v0.3.0
-	github.com/onkernel/hypeman-go v0.7.1-0.20251223032806-c8e386b69845
+	github.com/onkernel/hypeman-go v0.7.1-0.20251223035311-40c729ef8c06
 	github.com/tidwall/gjson v1.18.0
 	github.com/tidwall/pretty v1.2.1
 	github.com/urfave/cli-docs/v3 v3.0.0-alpha6

pkg/cmd/cp.go

@@ -28,8 +28,8 @@ type cpRequest struct {
 	IsDir       bool   `json:"is_dir,omitempty"`
 	Mode        uint32 `json:"mode,omitempty"`
 	FollowLinks bool   `json:"follow_links,omitempty"`
-	Uid         uint32 `json:"uid,omitempty"`
-	Gid         uint32 `json:"gid,omitempty"`
+	Uid         uint32 `json:"uid"`
+	Gid         uint32 `json:"gid"`
 }
 
 // cpFileHeader is received from the server when copying from guest
@@ -257,7 +257,13 @@ func sanitizeTarPath(basePath, entryName string) (string, error) {
 	// Verify the result is under the base path
 	// path.Clean removes trailing slashes, so compare cleaned versions
 	cleanBase := path.Clean(basePath)
-	if !strings.HasPrefix(targetPath, cleanBase+"/") && targetPath != cleanBase {
+	// Special case: if basePath is "/" (root), any absolute path under it is valid
+	if cleanBase == "/" {
+		// For root destination, just ensure the target is an absolute path (which path.Join guarantees)
+		if !strings.HasPrefix(targetPath, "/") {
+			return "", fmt.Errorf("invalid tar entry: path escapes destination: %s", entryName)
+		}
+	} else if !strings.HasPrefix(targetPath, cleanBase+"/") && targetPath != cleanBase {
 		return "", fmt.Errorf("invalid tar entry: path escapes destination: %s", entryName)
 	}