fix default_branch_name visibility

JarLob · JarLob · commit a2503dd14b8b · 2024-05-15T10:22:40.000Z
diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll
@@ -15,35 +15,35 @@ predicate runsOnDefaultBranch(Job j) {
   exists(Event e |
     j.getATriggerEvent() = e and
     exists(string default_branch_name |
-      repositoryDataModel(_, default_branch_name)
-    ) and
-    (
-      e.getName() = defaultBranchTriggerEvent() and
-      not e.getName() = "pull_request_target"
-      or
-      e.getName() = "push" and
-      e.getAPropertyValue("branches") = default_branch_name
-      or
-      e.getName() = "pull_request_target" and
+      repositoryDataModel(_, default_branch_name) and
       (
-        // no filtering
-        not e.hasProperty("branches") and not e.hasProperty("branches-ignore")
-        or
-        // only branches-ignore filter
-        e.hasProperty("branches-ignore") and
-        not e.hasProperty("branches") and
-        not e.getAPropertyValue("branches-ignore") = default_branch_name
+        e.getName() = defaultBranchTriggerEvent() and
+        not e.getName() = "pull_request_target"
         or
-        // only branches filter
-        e.hasProperty("branches") and
-        not e.hasProperty("branches-ignore") and
+        e.getName() = "push" and
         e.getAPropertyValue("branches") = default_branch_name
         or
-        // branches and branches-ignore filters
-        e.hasProperty("branches") and
-        e.hasProperty("branches-ignore") and
-        e.getAPropertyValue("branches") = default_branch_name and
-        not e.getAPropertyValue("branches-ignore") = default_branch_name
+        e.getName() = "pull_request_target" and
+        (
+          // no filtering
+          not e.hasProperty("branches") and not e.hasProperty("branches-ignore")
+          or
+          // only branches-ignore filter
+          e.hasProperty("branches-ignore") and
+          not e.hasProperty("branches") and
+          not e.getAPropertyValue("branches-ignore") = default_branch_name
+          or
+          // only branches filter
+          e.hasProperty("branches") and
+          not e.hasProperty("branches-ignore") and
+          e.getAPropertyValue("branches") = default_branch_name
+          or
+          // branches and branches-ignore filters
+          e.hasProperty("branches") and
+          e.hasProperty("branches-ignore") and
+          e.getAPropertyValue("branches") = default_branch_name and
+          not e.getAPropertyValue("branches-ignore") = default_branch_name
+        )
       )
     )
   )
