rules:
  - id: cve-2022-22965
    patterns:
      - pattern: "@$MAP(...) $R $M(..., $Y $X, ...) { ... }"
      # Classes and annotations that do not have the vulnerability based on:
      # https://docs.spring.io/spring-framework/docs/5.3.18/javadoc-api/org/springframework/beans/BeanUtils.html#isSimpleValueType-java.lang.Class-
      # https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#mvc-ann-arguments
      - pattern-not: "@$MAP(...) $R $M(..., @CookieValue(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @MatrixVariable(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @PathVariable(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @RequestAttribute(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @RequestBody(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @RequestHeader(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @RequestParam(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @RequestPart(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @SessionAttribute(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., @SessionAttributes(...) $Y $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., String $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., boolean $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., byte $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., char $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., short $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., int $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., long $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., float $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., double $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Boolean $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Byte $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Character $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Short $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Integer $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Long $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Float $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Double $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Enum $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., CharSequence $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Number $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Date $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Temporal $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., URI $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., URL $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Locale $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Class $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., boolean[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., byte[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., char[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., short[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., int[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., long[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., float[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., double[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Boolean[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Byte[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Character[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Short[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Integer[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Long[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Float[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Double[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Enum[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., CharSequence[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Number[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Date[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Temporal[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., URI[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., URL[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Locale[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., Class[] $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., HttpEntity $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., MultipartHttpServletRequest $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., MultipartRequest $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., NativeWebRequest $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., RedirectAttributes $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., SessionStatus $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., UriComponentsBuilder $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., WebRequest $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.io.InputStream $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.io.OutputStream $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.io.Reader $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.io.Writer $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.security.Principal $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.time.ZoneId $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.util.Locale $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.util.Map $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., java.util.TimeZone $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., javax.servlet.ServletRequest $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., javax.servlet.ServletResponse $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., javax.servlet.http.HttpServletRequest $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., javax.servlet.http.HttpServletResponse $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., javax.servlet.http.HttpSession $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., javax.servlet.http.PushBuilder $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., org.springframework.http.HttpMethod $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., org.springframework.security.core.Authentication $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., org.springframework.ui.Model $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., org.springframework.ui.ModelMap $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., org.springframework.validation.BindingResult $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., org.springframework.data.rest.webmvc.PersistentEntityResourceAssembler $X, ...) { ... }"
      - pattern-not: "@$MAP(...) $R $M(..., org.springframework.http.HttpRequest $X, ...) { ... }"
      - metavariable-pattern:
          metavariable: $MAP
          pattern-either:
            - pattern: RequestMapping
            - pattern: GetMapping
            - pattern: PostMapping
            - pattern: PutMapping
            - pattern: DeleteMapping
            - pattern: PatchMapping
    message: Semgrep found a match
    languages:
      - java
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      owap: "A1: Injection"
      technology:
        - spring
      references:
        - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement