Fix ImproperAccess query

Author: Alvaro Muñoz

ql/src/Security/CWE-285/ImproperAccessControl.ql

@@ -17,9 +17,14 @@ import codeql.actions.security.ControlChecks
 from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event
 where
   job.isPrivileged() and
-  job.getATriggerEvent() = event and
-  event.getName() = "pull_request_target" and
-  event.getAnActivityType() = "synchronize" and
-  check.dominates(checkout)
+  job.getAStep() = checkout and
+  check.dominates(checkout) and
+  (
+    job.getATriggerEvent() = event and
+    event.getName() = "pull_request_target" and
+    event.getAnActivityType() = "synchronize"
+    or
+    not exists(job.getATriggerEvent())
+  )
 select checkout, "The checked-out code can be modified after the authorization check $@.", check,
   check.toString()

ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected

@@ -1 +1 @@
-| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ...  test') | contain ...  test') |
+| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/test1.yml:17:11:17:75 | contain ...  test') | contain ...  test') |