# Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

**Stack:** JavaScript

- Prevalence: 보통 3개 언어 지원
- Impact: 높음 4개의 높은 심각도 규칙
- Prevention: 문서화됨 6개의 수정 예시

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Race Condition 예방 전략.

### JavaScript

Use database transactions with row-level locking for atomic read-modify-write operations

## Warning Signs

- [HIGH] Race condition at ... - check and act are not atomic
- [HIGH] time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a 

## Consequences

- 애플리케이션 데이터 수정
- DoS
- 승인되지 않은 코드 실행
- 보호 메커니즘 우회

## Mitigations

- lock, mutex, semaphore 등 적절한 동기화 기본 요소를 사용하세요
- 임계 영역 내의 코드 양을 최소화하세요
- 가능하면 스레드 안전한 자료 구조를 사용하세요

## Detection

- Total rules: 6
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a condition and acting on it.

Common race conditions include:
- Check balance, then deduct (balance can change in between)
- Check inventory, then create order (stock can be sold out)
- Check permissions, then perform action (permissions can change)
- File existence check, then read/write (file can be modified)
  - Remediation: Use database transactions for atomic operations:

```javascript
// ✅ SAFE - Atomic operation with transaction
const transaction = await db.transaction();
try {
  const account = await Account.findOne({
    where: { userId },
    lock: transaction.LOCK.UPDATE,
    transaction
  });

  if (account.balance < amount) {
    await transaction.rollback();
    throw new Error('Insufficient funds');
  }

  await account.update(
    { balance: account.balance - amount },
    { transaction }
  );

  await transaction.commit();
} catch (error) {
  await transaction.rollback();
  throw error;
}
```

### Typescript (1 rules)

- **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a condition and acting on it.

Common race conditions include:
- Check balance, then deduct (balance can change in between)
- Check inventory, then create order (stock can be sold out)
- Check permissions, then perform action (permissions can change)
- File existence check, then read/write (file can be modified)
  - Remediation: Use database transactions for atomic operations:

```javascript
// ✅ SAFE - Atomic operation with transaction
const transaction = await db.transaction();
try {
  const account = await Account.findOne({
    where: { userId },
    lock: transaction.LOCK.UPDATE,
    transaction
  });

  if (account.balance < amount) {
    await transaction.rollback();
    throw new Error('Insufficient funds');
  }

  await account.update(
    { balance: account.balance - amount },
    { transaction }
  );

  await transaction.commit();
} catch (error) {
  await transaction.rollback();
  throw error;
}
```