feat: US-111 - Fix timing mitigation — make Date.now non-configurable and patch Date constructor

Author: NathanFlurry

packages/secure-exec-core/isolate-runtime/src/inject/apply-timing-mitigation-freeze.ts

@@ -9,34 +9,97 @@ const __frozenTimeMs =
 		: Date.now();
 const __frozenDateNow = () => __frozenTimeMs;
 
+// Freeze Date.now — non-configurable + non-writable prevents sandbox override
 try {
 	Object.defineProperty(Date, "now", {
 		value: __frozenDateNow,
-		configurable: true,
-		writable: true,
+		configurable: false,
+		writable: false,
 	});
 } catch {
 	Date.now = __frozenDateNow;
 }
 
+// Patch Date constructor so new Date().getTime() returns degraded time
+const __OrigDate = Date;
+const __FrozenDate = function Date(
+	this: InstanceType<DateConstructor>,
+	...args: unknown[]
+) {
+	if (new.target) {
+		// Called with new — no-arg returns frozen time, with args passes through
+		if (args.length === 0) {
+			return new __OrigDate(__frozenTimeMs);
+		}
+		// @ts-expect-error — spread forwarding to variadic Date constructor
+		return new __OrigDate(...args);
+	}
+	// Called without new — Date() returns string like original
+	return __OrigDate();
+} as unknown as DateConstructor;
+Object.defineProperty(__FrozenDate, "prototype", {
+	value: __OrigDate.prototype,
+	writable: false,
+	configurable: false,
+});
+__FrozenDate.now = __frozenDateNow;
+__FrozenDate.parse = __OrigDate.parse;
+__FrozenDate.UTC = __OrigDate.UTC;
+// Lock Date.now on the replacement constructor too
+Object.defineProperty(__FrozenDate, "now", {
+	value: __frozenDateNow,
+	configurable: false,
+	writable: false,
+});
+try {
+	Object.defineProperty(globalThis, "Date", {
+		value: __FrozenDate,
+		configurable: false,
+		writable: false,
+	});
+} catch {
+	(globalThis as Record<string, unknown>).Date = __FrozenDate;
+}
+
+/* Replace globalThis.performance with a frozen proxy — native V8 performance
+   may have non-configurable properties that prevent in-place freezing. */
 const __frozenPerformanceNow = () => 0;
-const __performance = globalThis.performance;
-if (typeof __performance !== "undefined" && __performance !== null) {
-	try {
-		Object.defineProperty(__performance, "now", {
-			value: __frozenPerformanceNow,
-			configurable: true,
-			writable: true,
-		});
-	} catch {
-		try {
-			Object.assign(__performance, { now: __frozenPerformanceNow });
-		} catch {}
+const __origPerf = globalThis.performance;
+const __frozenPerf = Object.create(null) as Record<string, unknown>;
+// Copy existing methods/properties, override now()
+if (typeof __origPerf !== "undefined" && __origPerf !== null) {
+	const src = __origPerf as unknown as Record<string, unknown>;
+	for (const key of Object.getOwnPropertyNames(
+		Object.getPrototypeOf(__origPerf) ?? __origPerf,
+	)) {
+		if (key !== "now") {
+			try {
+				const val = src[key];
+				if (typeof val === "function") {
+					__frozenPerf[key] = val.bind(__origPerf);
+				} else {
+					__frozenPerf[key] = val;
+				}
+			} catch {
+				/* skip inaccessible properties */
+			}
+		}
 	}
-} else {
-	setGlobalValue("performance", {
-		now: __frozenPerformanceNow,
+}
+Object.defineProperty(__frozenPerf, "now", {
+	value: __frozenPerformanceNow,
+	configurable: false,
+	writable: false,
+});
+Object.freeze(__frozenPerf);
+try {
+	Object.defineProperty(globalThis, "performance", {
+		value: __frozenPerf,
+		configurable: false,
+		writable: false,
 	});
+} catch {
+	(globalThis as Record<string, unknown>).performance = __frozenPerf;
 }
 
 /* Harden SharedArrayBuffer removal — neuter prototype so saved refs are useless,