원클릭으로
sc-race-condition
Race condition and TOCTOU detection — database races, file system races, double-spend, and atomicity failures
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Race condition and TOCTOU detection — database races, file system races, double-spend, and atomicity failures
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
SOC 직업 분류 기준
| name | sc-race-condition |
| description | Race condition and TOCTOU detection — database races, file system races, double-spend, and atomicity failures |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects race condition vulnerabilities where concurrent operations on shared state lead to inconsistent or exploitable behavior. Covers database read-modify-write races, file system time-of-check-to-time-of-use (TOCTOU), double-spend attacks, counter increment without atomicity, missing database transactions, and concurrent request exploitation.
Called by sc-orchestrator during Phase 2. Runs against all applications with concurrent processing.
"balance", "counter", "inventory", "stock", "quantity",
"increment", "decrement", "transfer", "withdraw",
"transaction", "BEGIN", "COMMIT", "ROLLBACK",
"Lock", "Mutex", "synchronized", "atomic",
"SELECT.*FOR UPDATE", "SERIALIZABLE"
1. Database Read-Modify-Write Without Lock:
# VULNERABLE: Race condition on balance check
def withdraw(user_id, amount):
user = User.objects.get(id=user_id)
if user.balance >= amount: # CHECK
user.balance -= amount # MODIFY
user.save() # WRITE
# Two concurrent requests can both pass the check!
# SAFE: Atomic update with database-level lock
from django.db import transaction
from django.db.models import F
def withdraw(user_id, amount):
with transaction.atomic():
user = User.objects.select_for_update().get(id=user_id)
if user.balance >= amount:
user.balance = F('balance') - amount
user.save()
2. Non-Atomic Counter:
// VULNERABLE: Counter increment without atomicity
app.post('/like/:postId', async (req, res) => {
const post = await Post.findById(req.params.postId);
post.likes += 1; // Lost update under concurrent requests
await post.save();
});
// SAFE: Atomic increment
app.post('/like/:postId', async (req, res) => {
await Post.findByIdAndUpdate(req.params.postId, { $inc: { likes: 1 } });
});
3. File System TOCTOU:
// VULNERABLE: Check then use
if _, err := os.Stat(filepath); err == nil { // CHECK
data, _ := os.ReadFile(filepath) // USE — file may have changed!
}
// SAFE: Just open and handle error
data, err := os.ReadFile(filepath)
if err != nil { /* handle */ }
4. Coupon Double-Use:
# VULNERABLE: Check-then-mark race
def apply_coupon(coupon_code, order_id):
coupon = Coupon.objects.get(code=coupon_code)
if not coupon.used: # Both requests see used=False
apply_discount(order_id, coupon.discount)
coupon.used = True
coupon.save()
# SAFE: Atomic check-and-mark
def apply_coupon(coupon_code, order_id):
with transaction.atomic():
updated = Coupon.objects.filter(
code=coupon_code, used=False
).update(used=True)
if updated == 1:
apply_discount(order_id, coupon.discount)