security: date builtin leaks real host time (TM-INF-018)

## Summary

The `date` builtin at `builtins/date.rs` uses `chrono::Local` and `chrono::Utc` to get the real system time. Other identity builtins (`hostname`, `whoami`, `uname`, `id`) return virtualized values, but `date` does not.

Additionally, `curl.rs:327-330` uses `std::time::SystemTime::now()` for multipart boundary generation, leaking nanosecond-precision host time into HTTP request bodies.

## Impact — LOW

Timezone fingerprinting and timing correlation attacks. Inconsistent with the virtualization principle applied to other system builtins.

## Recommended fix

Add a configurable time source to `Bash::builder()`:
```rust
Bash::builder()
    .time_source(TimeSource::Fixed(epoch))  // or Offset(delta)
    .build();
```

## Tests

Regression test (currently `#[ignore]`):
- `security_audit_date_uses_virtual_time`

## Cross-references

- Threat model: TM-INF-018
- PR: #487

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: date builtin leaks real host time (TM-INF-018) #497

Summary

Impact — LOW

Recommended fix

Tests

Cross-references

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

security: date builtin leaks real host time (TM-INF-018) #497

Description

Summary

Impact — LOW

Recommended fix

Tests

Cross-references

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions