# Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362) The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. **Stack:** JavaScript - Prevalence: Media 3 lenguajes cubiertos - Impact: Alto 4 reglas de severidad alta - Prevention: Documentada 6 ejemplos de corrección **OWASP:** Insecure Design (A04:2021-Insecure Design) - #4 ## Description This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider. ## Prevention Estrategias de prevención para Race Condition basadas en 1 reglas de detección de Shoulder. ### JavaScript Use database transactions with row-level locking for atomic read-modify-write operations ## Warning Signs - [HIGH] Race condition at ... - check and act are not atomic - [HIGH] time-of-check to time-of-use (TOCTOU) vulnerabilities where the state can change between checking a ## Consequences - Modificar datos de la aplicación - DoS - Ejecutar código no autorizado - Eludir mecanismo de protección ## Mitigations - Usa primitivas de sincronización adecuadas como locks, mutexes o semáforos - Minimiza la cantidad de código dentro de las secciones críticas - Usa estructuras de datos thread-safe cuando estén disponibles ## Detection - Total rules: 6 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where the state can change between checking a condition and acting on it. Common race conditions include: - Check balance, then deduct (balance can change in between) - Check inventory, then create order (stock can be sold out) - Check permissions, then perform action (permissions can change) - File existence check, then read/write (file can be modified) - Remediation: Use database transactions for atomic operations: ```javascript // ✅ SAFE - Atomic operation with transaction const transaction = await db.transaction(); try { const account = await Account.findOne({ where: { userId }, lock: transaction.LOCK.UPDATE, transaction }); if (account.balance < amount) { await transaction.rollback(); throw new Error('Insufficient funds'); } await account.update( { balance: account.balance - amount }, { transaction } ); await transaction.commit(); } catch (error) { await transaction.rollback(); throw error; } ``` ### Typescript (1 rules) - **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where the state can change between checking a condition and acting on it. Common race conditions include: - Check balance, then deduct (balance can change in between) - Check inventory, then create order (stock can be sold out) - Check permissions, then perform action (permissions can change) - File existence check, then read/write (file can be modified) - Remediation: Use database transactions for atomic operations: ```javascript // ✅ SAFE - Atomic operation with transaction const transaction = await db.transaction(); try { const account = await Account.findOne({ where: { userId }, lock: transaction.LOCK.UPDATE, transaction }); if (account.balance < amount) { await transaction.rollback(); throw new Error('Insufficient funds'); } await account.update( { balance: account.balance - amount }, { transaction } ); await transaction.commit(); } catch (error) { await transaction.rollback(); throw error; } ```