fix: multiple cp improvements

- Close resp.Body in copyTarFileToInstance on dial failure
- Add receivedFinal flag to detect incomplete transfers in copyFromInstanceToStdout
- Use path package for guest paths in sanitizeTarPath (cross-platform compatibility)
- Update hypeman-go dependency

Author: rgarcia

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gorilla/websocket v1.5.3
 	github.com/itchyny/json2yaml v0.1.4
 	github.com/muesli/reflow v0.3.0
-	github.com/onkernel/hypeman-go v0.7.1-0.20251223024018-6970d69a9e1e
+	github.com/onkernel/hypeman-go v0.7.1-0.20251223025630-30d438f9919f
 	github.com/tidwall/gjson v1.18.0
 	github.com/tidwall/pretty v1.2.1
 	github.com/urfave/cli-docs/v3 v3.0.0-alpha6

go.sum

@@ -105,8 +105,8 @@ github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
 github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
-github.com/onkernel/hypeman-go v0.7.1-0.20251223024018-6970d69a9e1e h1:XY7ZZOqyYfSVhGOtx+Z7rK4RyvqYWgfseTmqGTXIGMI=
-github.com/onkernel/hypeman-go v0.7.1-0.20251223024018-6970d69a9e1e/go.mod h1:Wtm4ewVGGPZc2ySeeuQISQyJxujyQuyDjXyksVkIyy8=
+github.com/onkernel/hypeman-go v0.7.1-0.20251223025630-30d438f9919f h1:5Tnk4IxErhHxg1D2z+OSfpC2RtISoqRlZEsPsvyZVLk=
+github.com/onkernel/hypeman-go v0.7.1-0.20251223025630-30d438f9919f/go.mod h1:Wtm4ewVGGPZc2ySeeuQISQyJxujyQuyDjXyksVkIyy8=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=

pkg/cmd/cp.go

@@ -249,34 +249,28 @@ func isWindowsPath(path string) bool {
 
 // sanitizeTarPath validates and sanitizes a tar entry path to prevent path traversal attacks.
 // Returns the sanitized target path or an error if the path is malicious.
+// Uses path package (not filepath) because tar paths and guest paths use forward slashes.
 func sanitizeTarPath(basePath, entryName string) (string, error) {
-	// Clean the entry name
-	clean := filepath.Clean(entryName)
+	// Clean the entry name using path.Clean (forward slashes for guest/tar paths)
+	clean := path.Clean(entryName)
 
-	// Reject absolute paths
-	if filepath.IsAbs(clean) {
+	// Reject absolute paths (Linux paths start with /)
+	if strings.HasPrefix(clean, "/") {
 		return "", fmt.Errorf("invalid tar entry: absolute path not allowed: %s", entryName)
 	}
 
-	// Reject paths that start with ..
+	// Reject paths that start with .. (escaping destination)
 	if strings.HasPrefix(clean, "..") {
 		return "", fmt.Errorf("invalid tar entry: path escapes destination: %s", entryName)
 	}
 
-	// Join with base path
-	targetPath := filepath.Join(basePath, clean)
+	// Join with base path using path.Join (forward slashes for guest paths)
+	targetPath := path.Join(basePath, clean)
 
 	// Verify the result is under the base path
-	absBase, err := filepath.Abs(basePath)
-	if err != nil {
-		return "", fmt.Errorf("resolve base path: %w", err)
-	}
-	absTarget, err := filepath.Abs(targetPath)
-	if err != nil {
-		return "", fmt.Errorf("resolve target path: %w", err)
-	}
-
-	if !strings.HasPrefix(absTarget, absBase+string(filepath.Separator)) && absTarget != absBase {
+	// path.Clean removes trailing slashes, so compare cleaned versions
+	cleanBase := path.Clean(basePath)
+	if !strings.HasPrefix(targetPath, cleanBase+"/") && targetPath != cleanBase {
 		return "", fmt.Errorf("invalid tar entry: path escapes destination: %s", entryName)
 	}
 
@@ -793,6 +787,7 @@ func copyTarFileToInstance(ctx context.Context, baseURL, apiKey, instanceID stri
 	ws, resp, err := dialer.DialContext(ctx, wsURL, headers)
 	if err != nil {
 		if resp != nil {
+			defer resp.Body.Close()
 			body, _ := io.ReadAll(resp.Body)
 			return fmt.Errorf("websocket connect failed (HTTP %d): %s", resp.StatusCode, string(body))
 		}
@@ -894,6 +889,7 @@ func copyFromInstanceToStdout(ctx context.Context, baseURL, apiKey, instanceID,
 
 	var currentHeader *cpFileHeader
 	var fileData []byte
+	var receivedFinal bool
 
 	for {
 		msgType, message, err := ws.ReadMessage()
@@ -970,6 +966,7 @@ func copyFromInstanceToStdout(ctx context.Context, baseURL, apiKey, instanceID,
 				var endMarker cpEndMarker
 				json.Unmarshal(message, &endMarker)
 				if endMarker.Final {
+					receivedFinal = true
 					return nil
 				}
 
@@ -984,6 +981,10 @@ func copyFromInstanceToStdout(ctx context.Context, baseURL, apiKey, instanceID,
 		}
 	}
 
+	// If connection closed without receiving final marker, the transfer was incomplete
+	if !receivedFinal {
+		return fmt.Errorf("copy stream ended without completion marker")
+	}
 	return nil
 }