# Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362) The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. **Stack:** JavaScript - Prevalence: Moyenne 3 langages couverts - Impact: Élevé 4 règles de sévérité élevée - Prevention: Documentée 6 exemples de correctifs **OWASP:** Insecure Design (A04:2021-Insecure Design) - #4 ## Description This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider. ## Prevention Stratégies de prévention pour Race Condition basées sur 1 règles de détection Shoulder. ### JavaScript Use database transactions with row-level locking for atomic read-modify-write operations ## Warning Signs - [HIGH] Race condition at ... - check and act are not atomic - [HIGH] time-of-check to time-of-use (TOCTOU) vulnerabilities where the state can change between checking a ## Consequences - Modification des données de l'application - DoS - Exécuter du code non autorisé - Contourner le mécanisme de protection ## Mitigations - Utilisez des primitives de synchronisation appropriées comme verrous, mutex ou sémaphores - Minimisez la quantité de code dans les sections critiques - Utilisez des structures de données thread-safe lorsque c'est possible ## Detection - Total rules: 6 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where the state can change between checking a condition and acting on it. Common race conditions include: - Check balance, then deduct (balance can change in between) - Check inventory, then create order (stock can be sold out) - Check permissions, then perform action (permissions can change) - File existence check, then read/write (file can be modified) - Remediation: Use database transactions for atomic operations: ```javascript // ✅ SAFE - Atomic operation with transaction const transaction = await db.transaction(); try { const account = await Account.findOne({ where: { userId }, lock: transaction.LOCK.UPDATE, transaction }); if (account.balance < amount) { await transaction.rollback(); throw new Error('Insufficient funds'); } await account.update( { balance: account.balance - amount }, { transaction } ); await transaction.commit(); } catch (error) { await transaction.rollback(); throw error; } ``` ### Typescript (1 rules) - **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where the state can change between checking a condition and acting on it. Common race conditions include: - Check balance, then deduct (balance can change in between) - Check inventory, then create order (stock can be sold out) - Check permissions, then perform action (permissions can change) - File existence check, then read/write (file can be modified) - Remediation: Use database transactions for atomic operations: ```javascript // ✅ SAFE - Atomic operation with transaction const transaction = await db.transaction(); try { const account = await Account.findOne({ where: { userId }, lock: transaction.LOCK.UPDATE, transaction }); if (account.balance < amount) { await transaction.rollback(); throw new Error('Insufficient funds'); } await account.update( { balance: account.balance - amount }, { transaction } ); await transaction.commit(); } catch (error) { await transaction.rollback(); throw error; } ```