# Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

**Stack:** JavaScript

- Prevalence: 中 3 言語をカバー
- Impact: ハイ 4 件の重大度ハイのルール
- Prevention: 文書化済み 6 件の修正例

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.

## Prevention

1 件の Shoulder 検出ルールに基づく Race Condition の予防策。

### JavaScript

Use database transactions with row-level locking for atomic read-modify-write operations

## Warning Signs

- [HIGH] Race condition at ... - check and act are not atomic
- [HIGH] time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a 

## Consequences

- アプリケーションデータの変更
- DoS
- 未承認コードの実行
- 保護メカニズムの回避

## Mitigations

- ロック、ミューテックス、セマフォなど適切な同期プリミティブを使用する
- クリティカルセクション内のコード量を最小限にする
- 可能であればスレッドセーフなデータ構造を使用する

## Detection

- Total rules: 6
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a condition and acting on it.

Common race conditions include:
- Check balance, then deduct (balance can change in between)
- Check inventory, then create order (stock can be sold out)
- Check permissions, then perform action (permissions can change)
- File existence check, then read/write (file can be modified)
  - Remediation: Use database transactions for atomic operations:

```javascript
// ✅ SAFE - Atomic operation with transaction
const transaction = await db.transaction();
try {
  const account = await Account.findOne({
    where: { userId },
    lock: transaction.LOCK.UPDATE,
    transaction
  });

  if (account.balance < amount) {
    await transaction.rollback();
    throw new Error('Insufficient funds');
  }

  await account.update(
    { balance: account.balance - amount },
    { transaction }
  );

  await transaction.commit();
} catch (error) {
  await transaction.rollback();
  throw error;
}
```

### Typescript (1 rules)

- **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a condition and acting on it.

Common race conditions include:
- Check balance, then deduct (balance can change in between)
- Check inventory, then create order (stock can be sold out)
- Check permissions, then perform action (permissions can change)
- File existence check, then read/write (file can be modified)
  - Remediation: Use database transactions for atomic operations:

```javascript
// ✅ SAFE - Atomic operation with transaction
const transaction = await db.transaction();
try {
  const account = await Account.findOne({
    where: { userId },
    lock: transaction.LOCK.UPDATE,
    transaction
  });

  if (account.balance < amount) {
    await transaction.rollback();
    throw new Error('Insufficient funds');
  }

  await account.update(
    { balance: account.balance - amount },
    { transaction }
  );

  await transaction.commit();
} catch (error) {
  await transaction.rollback();
  throw error;
}
```