Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.
이 취약점을 수정하는 방법
6개의 Shoulder 탐지 규칙을 기반으로 한 Race Condition 예방 전략.
Protect concurrent slice access with mutex or use channels to collect results
func collect(items []string) []string { - var results []string - for _, item := range items { - go func(i string) { - results = append(results, process(i)) - }(item) - } - time.Sleep(time.Second) + resultsCh := make(chan string, len(items)) + for _, item := range items { + go func(i string) { + resultsCh <- process(i) + }(item) + } + results := make([]string, 0, len(items)) + for i := 0; i < len(items); i++ { + results = append(results, <-resultsCh) + } return results }
Use thread-safe accessor methods or sync.RWMutex for concurrent map access
func getNodeName(node *Node) string { - name, ok := node.Attributes["name"].(string) + name, ok := node.GetAttrString("name") if !ok { return "" } return name }
Protect shared state with sync.Mutex, atomic operations, or sync.Map
- var counter int - func increment() { - go func() { - counter++ + var counter int64 + func increment() { + go func() { + atomic.AddInt64(&counter, 1) }() }
Use database transactions with row-level locking for atomic read-modify-write operations
app.post('/withdraw', async (req, res) => { - const account = await Account.findOne({ where: { userId } }); - if (account.balance >= amount) { - await account.update({ balance: account.balance - amount }); + const transaction = await db.transaction(); + try { + const account = await Account.findOne({ + where: { userId }, + lock: transaction.LOCK.UPDATE, + transaction + }); + if (account.balance < amount) { + await transaction.rollback(); + return res.status(400).json({ error: 'Insufficient funds' }); + } + await account.update({ balance: account.balance - amount }, { transaction }); + await transaction.commit(); + } catch (e) { + await transaction.rollback(); + throw e; } });
Use locks for shared data and atomic operations for file access
import threading counter = 0 - - def increment(): - global counter - counter += 1 + lock = threading.Lock() + + def increment(): + global counter + with lock: + counter += 1 threads = [threading.Thread(target=increment) for _ in range(100)]
핵심 실천 사항
- Use data races, lost data, or panics
- Use race conditions
- Use of sync
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') 패턴을 스캔하세요. 6 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=362 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (6)
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
코드베이스를 스캔하세요: Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.