From 276ee259ca2d876ee02731f956546a4b08dbd0b3 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Thu, 12 Mar 2026 01:39:53 -0400
Subject: [PATCH] Tests: clean up temp git helper directory

---
 src/infra/host-env-security.test.ts | 69 ++++++++++++++++-------------
 1 file changed, 37 insertions(+), 32 deletions(-)

diff --git a/src/infra/host-env-security.test.ts b/src/infra/host-env-security.test.ts
index 87156c10396..08f1a3d65fb 100644
--- a/src/infra/host-env-security.test.ts
+++ b/src/infra/host-env-security.test.ts
@@ -232,40 +232,45 @@ describe("git env exploit regression", () => {
       `openclaw-git-exec-path-marker-${process.pid}-${Date.now()}`,
     );
     try {
+      try {
+        fs.unlinkSync(marker);
+      } catch {
+        // no-op
+      }
+      fs.writeFileSync(helperPath, `#!/bin/sh\ntouch ${JSON.stringify(marker)}\nexit 1\n`, "utf8");
+      fs.chmodSync(helperPath, 0o755);
+
+      const target = "https://127.0.0.1:1/does-not-matter";
+      const unsafeEnv = {
+        PATH: process.env.PATH ?? "/usr/bin:/bin",
+        GIT_EXEC_PATH: helperDir,
+        GIT_TERMINAL_PROMPT: "0",
+      };
+
+      await new Promise<void>((resolve) => {
+        const child = spawn(gitPath, ["ls-remote", target], { env: unsafeEnv, stdio: "ignore" });
+        child.once("error", () => resolve());
+        child.once("close", () => resolve());
+      });
+
+      expect(fs.existsSync(marker)).toBe(true);
       fs.unlinkSync(marker);
-    } catch {
-      // no-op
+
+      const safeEnv = sanitizeHostExecEnv({
+        baseEnv: unsafeEnv,
+      });
+
+      await new Promise<void>((resolve) => {
+        const child = spawn(gitPath, ["ls-remote", target], { env: safeEnv, stdio: "ignore" });
+        child.once("error", () => resolve());
+        child.once("close", () => resolve());
+      });
+
+      expect(fs.existsSync(marker)).toBe(false);
+    } finally {
+      fs.rmSync(helperDir, { recursive: true, force: true });
+      fs.rmSync(marker, { force: true });
     }
-    fs.writeFileSync(helperPath, `#!/bin/sh\ntouch ${JSON.stringify(marker)}\nexit 1\n`, "utf8");
-    fs.chmodSync(helperPath, 0o755);
-
-    const target = "https://127.0.0.1:1/does-not-matter";
-    const unsafeEnv = {
-      PATH: process.env.PATH ?? "/usr/bin:/bin",
-      GIT_EXEC_PATH: helperDir,
-      GIT_TERMINAL_PROMPT: "0",
-    };
-
-    await new Promise<void>((resolve) => {
-      const child = spawn(gitPath, ["ls-remote", target], { env: unsafeEnv, stdio: "ignore" });
-      child.once("error", () => resolve());
-      child.once("close", () => resolve());
-    });
-
-    expect(fs.existsSync(marker)).toBe(true);
-    fs.unlinkSync(marker);
-
-    const safeEnv = sanitizeHostExecEnv({
-      baseEnv: unsafeEnv,
-    });
-
-    await new Promise<void>((resolve) => {
-      const child = spawn(gitPath, ["ls-remote", target], { env: safeEnv, stdio: "ignore" });
-      child.once("error", () => resolve());
-      child.once("close", () => resolve());
-    });
-
-    expect(fs.existsSync(marker)).toBe(false);
   });
 
   it("blocks GIT_SSH_COMMAND override so git cannot execute helper payloads", async () => {