# Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

**Stack:** JavaScript

- Prevalence: Média 3 linguagens cobertas
- Impact: Alto 4 regras de severidade alta
- Prevention: Documentada 6 exemplos de correção

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

This can have security implications when the expected synchronization is in security-critical code, such as recording whether a user is authenticated or modifying important state information that should not be influenced by an outsider.

## Prevention

Estratégias de prevenção para Race Condition baseadas em 1 regras de detecção do Shoulder.

### JavaScript

Use database transactions with row-level locking for atomic read-modify-write operations

## Warning Signs

- [HIGH] Race condition at ... - check and act are not atomic
- [HIGH] time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a 

## Consequences

- Modificar dados da aplicação
- DoS
- Executar código não autorizado
- Burlar mecanismo de proteção

## Mitigations

- Use primitivas de sincronização adequadas como locks, mutexes ou semáforos
- Minimize a quantidade de código dentro das seções críticas
- Use estruturas de dados thread-safe quando disponíveis

## Detection

- Total rules: 6
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a condition and acting on it.

Common race conditions include:
- Check balance, then deduct (balance can change in between)
- Check inventory, then create order (stock can be sold out)
- Check permissions, then perform action (permissions can change)
- File existence check, then read/write (file can be modified)
  - Remediation: Use database transactions for atomic operations:

```javascript
// ✅ SAFE - Atomic operation with transaction
const transaction = await db.transaction();
try {
  const account = await Account.findOne({
    where: { userId },
    lock: transaction.LOCK.UPDATE,
    transaction
  });

  if (account.balance < amount) {
    await transaction.rollback();
    throw new Error('Insufficient funds');
  }

  await account.update(
    { balance: account.balance - amount },
    { transaction }
  );

  await transaction.commit();
} catch (error) {
  await transaction.rollback();
  throw error;
}
```

### Typescript (1 rules)

- **Race Condition in Concurrent Operations** [HIGH]: Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a condition and acting on it.

Common race conditions include:
- Check balance, then deduct (balance can change in between)
- Check inventory, then create order (stock can be sold out)
- Check permissions, then perform action (permissions can change)
- File existence check, then read/write (file can be modified)
  - Remediation: Use database transactions for atomic operations:

```javascript
// ✅ SAFE - Atomic operation with transaction
const transaction = await db.transaction();
try {
  const account = await Account.findOne({
    where: { userId },
    lock: transaction.LOCK.UPDATE,
    transaction
  });

  if (account.balance < amount) {
    await transaction.rollback();
    throw new Error('Insufficient funds');
  }

  await account.update(
    { balance: account.balance - amount },
    { transaction }
  );

  await transaction.commit();
} catch (error) {
  await transaction.rollback();
  throw error;
}
```