feat(delete): add --dry-run flag and safety guardrails

[ishaanxgupta]

Description

This PR adds security hardening to the urunc delete command to prevent accidental deletion of host system paths and provides a dry-run mode for safe preview of operations.

1. Dry-Run Functionality

• Added --dry-run (-n) flag to preview what would be deleted without actually deleting
• Implemented DryRunDelete() method that shows all paths that would be removed
• Useful for debugging and verifying delete operations

2. Path Traversal Protection

• validateContainerID(): Prevents path traversal attacks via containerID
  • Blocks .. sequences
  • Blocks absolute paths
  • Blocks path separators
• Example: urunc delete ../../etc is now rejected

3. Path Safety Validation

• validateDeletionPath(): Ensures target paths stay within expected boundaries
  • Validates paths are within rootDir
  • Uses filepath.Rel() to detect escapes
• validatePathSafety(): Additional safety layer in unikontainers package
  • Checks against critical system path denylist
  • Prevents deletion of /, /usr, /etc, /lib, etc.

Related issues

Fixes #423

How was this tested?

• Code review for logic correctness
• Verified no compilation errors
• Validated against existing code patterns
• Checked error handling paths
• Ensured backward compatibility
• Confirmed validation functions work correctly

LLM usage

GitHub Copilot assisted with code implementation

Checklist

• I have read the contribution guide.
• The linter passes locally (make lint).
• The e2e tests of at least one tool pass locally (make test_ctr, make test_nerdctl, make test_docker, make test_crictl).
• If LLMs were used: I have read the llm policy.

collaborated with @hemang1404

[netlify]

✅ Deploy Preview for urunc canceled.

Name	Link
🔨 Latest commit	14347ba
🔍 Latest deploy log	https://app.netlify.com/projects/urunc/deploys/6982c9c9e6a5630008cb9834

[cmainas]

Please do not open PRs for issues that have not be identified as such yet.

[cmainas]

Duplicate with #436