From 549fa7e288fd72a57c43d6175837df7a461388d0 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 12 May 2023 15:43:27 +0200
Subject: [PATCH] Java: make inputStreamWrapper only act on constructors from
 outside of source

---
 .../lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index b275c381150..af8f2273cbe 100644
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -255,6 +255,7 @@ private class BulkData extends RefType {
  * status of its argument.
  */
 private predicate inputStreamWrapper(Constructor c, int argi) {
+  not c.fromSource() and
   c.getParameterType(argi) instanceof BulkData and
   c.getDeclaringType().getASourceSupertype+().hasQualifiedName("java.io", "InputStream")
 }