Summary
The date builtin at builtins/date.rs uses chrono::Local and chrono::Utc to get the real system time. Other identity builtins (hostname, whoami, uname, id) return virtualized values, but date does not.
Additionally, curl.rs:327-330 uses std::time::SystemTime::now() for multipart boundary generation, leaking nanosecond-precision host time into HTTP request bodies.
Impact — LOW
Timezone fingerprinting and timing correlation attacks. Inconsistent with the virtualization principle applied to other system builtins.
Recommended fix
Add a configurable time source to Bash::builder():
Bash::builder()
.time_source(TimeSource::Fixed(epoch)) // or Offset(delta)
.build();Tests
Regression test (currently #[ignore]):
security_audit_date_uses_virtual_time
Cross-references
Summary
The
datebuiltin atbuiltins/date.rsuseschrono::Localandchrono::Utcto get the real system time. Other identity builtins (hostname,whoami,uname,id) return virtualized values, butdatedoes not.Additionally,
curl.rs:327-330usesstd::time::SystemTime::now()for multipart boundary generation, leaking nanosecond-precision host time into HTTP request bodies.Impact — LOW
Timezone fingerprinting and timing correlation attacks. Inconsistent with the virtualization principle applied to other system builtins.
Recommended fix
Add a configurable time source to
Bash::builder():Tests
Regression test (currently
#[ignore]):security_audit_date_uses_virtual_timeCross-references