Java: Track taint through Spring Java bean getters on super types

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -345,7 +345,9 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   m.getDeclaringType() instanceof TypeUri and
   m.hasName("toURL")
   or
-  m instanceof GetterMethod and m.getDeclaringType() instanceof SpringUntrustedDataType
+  m instanceof GetterMethod and
+  m.getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
+  not m.getDeclaringType() instanceof TypeObject
   or
   m.getDeclaringType() instanceof SpringHttpEntity and
   m.getName().regexpMatch("getBody|getHeaders")
@@ -684,7 +686,8 @@ private class FormatterCallable extends TaintPreservingCallable {
     (
       this.hasName(["format", "out", "toString"])
       or
-      this.(Constructor)
+      this
+          .(Constructor)
           .getParameterType(0)
           .(RefType)
           .getASourceSupertype*()