BÊTA Shoulder est en bêta — Les résultats peuvent parfois être incorrects. Vos retours façonnent ce que nous corrigeons ensuite. Donner mon avis
Shoulder.dev

Renseignement sur les Menaces pour Développeurs
🏁

Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')

🛡️ 6 règles détectent ceci

Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.

Prévalence
Moyenne
3 langages couverts
Impact
Élevé
4 règles de sévérité élevée
Prévention
Documentée
6 exemples de correctifs
2 Prévention
2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour Race Condition basées sur 6 règles de détection Shoulder.

🐹 Go Tout voir Go détails →
Concurrent Slice Access HIGH

Protect concurrent slice access with mutex or use channels to collect results

+10 -7 go 
  func collect(items []string) []string {
-     var results []string
-     for _, item := range items {
-         go func(i string) {
-             results = append(results, process(i))
-         }(item)
-     }
-     time.Sleep(time.Second)
+     resultsCh := make(chan string, len(items))
+     for _, item := range items {
+         go func(i string) {
+             resultsCh <- process(i)
+         }(item)
+     }
+     results := make([]string, 0, len(items))
+     for i := 0; i < len(items); i++ {
+         results = append(results, <-resultsCh)
+     }
      return results
  }
Direct Map Access on Thread-Safe Struct HIGH

Use thread-safe accessor methods or sync.RWMutex for concurrent map access

+1 -1 go 
  func getNodeName(node *Node) string {
-     name, ok := node.Attributes["name"].(string)
+     name, ok := node.GetAttrString("name")
      if !ok {
          return ""
      }
      return name
  }
Potential Race Condition MEDIUM

Protect shared state with sync.Mutex, atomic operations, or sync.Map

+4 -4 go 
- var counter int
- func increment() {
-     go func() {
-         counter++
+ var counter int64
+ func increment() {
+     go func() {
+         atomic.AddInt64(&counter, 1)
      }()
  }
🟨 JavaScript Tout voir JavaScript détails →
Race Condition in Concurrent Operations HIGH

Use database transactions with row-level locking for atomic read-modify-write operations

+16 -3 javascript 
  app.post('/withdraw', async (req, res) => {
-   const account = await Account.findOne({ where: { userId } });
-   if (account.balance >= amount) {
-     await account.update({ balance: account.balance - amount });
+   const transaction = await db.transaction();
+   try {
+     const account = await Account.findOne({
+       where: { userId },
+       lock: transaction.LOCK.UPDATE,
+       transaction
+     });
+     if (account.balance < amount) {
+       await transaction.rollback();
+       return res.status(400).json({ error: 'Insufficient funds' });
+     }
+     await account.update({ balance: account.balance - amount }, { transaction });
+     await transaction.commit();
+   } catch (e) {
+     await transaction.rollback();
+     throw e;
    }
  });
🐍 Python Tout voir Python détails →
Potential Race Condition MEDIUM

Use locks for shared data and atomic operations for file access

+6 -4 python 
  import threading
  
  counter = 0
- 
- def increment():
-     global counter
-     counter += 1
+ lock = threading.Lock()
+ 
+ def increment():
+     global counter
+     with lock:
+         counter += 1
  
  threads = [threading.Thread(target=increment) for _ in range(100)]

Pratiques clés

  • Use data races, lost data, or panics
  • Use race conditions
  • Use of sync
3 Détection
3 Détection

Trouvez les vulnérabilités dans votre code

Utilisez Shoulder pour scanner votre code à la recherche de patterns Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition'). 6 règles.

terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=362

# Or scan entire project
npx @shoulderdev/cli trust .

Règles de Détection (6)

4 Signes d'Alerte
4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition'). Recherchez-les lors des revues de code et des audits de sécurité.

🟠
Concurrent slice access without synchronization causes data races. append() is NOT atomic - multiple goroutines appendin go-concurrent-slice-access
🟠
Direct access to map fields can cause race conditions in concurrent code. Maps in Go are not thread-safe, and concurrent go-direct-map-access
🟠
Improper WaitGroup usage can cause: - Race conditions (Add inside goroutine) - Panics (negative counter from Done miscou go-waitgroup-misuse
🟠
Race condition at ... - check and act are not atomic javascript-race-conditions
🟠
time-of-check to time-of-use (TOCTOU) vulnerabilities where the state can change between checking a javascript-race-conditions
🟡
Shared data accessed without proper synchronization go-race-condition
🟡
potential race conditions in concurrent Python code python-race-condition
🔍

Scannez votre base de code pour Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles