CWE-530: Information Exposure Through Source Code

Overview

Information exposure through source code occurs when applications unintentionally expose source files, version control directories, or compilation artifacts to unauthorized users. This includes serving .git directories, exposing .env files with credentials, revealing backend source code through misconfigured servers, leaving commented-out code with sensitive information, or allowing access to backup files (.php~, .bak, .old). Source code exposure reveals business logic, algorithms, security controls, hardcoded credentials, database schemas, API endpoints, and potential vulnerabilities.

OWASP Classification

Not Mapped to OWASP Top 10 2025

Risk

Medium to High: Source code exposure enables attackers to discover hardcoded credentials, identify vulnerabilities through code review, understand authentication mechanisms for bypass, learn database structure for injection attacks, and find sensitive comments revealing infrastructure details. Exposed .git directories allow attackers to reconstruct entire codebase history including deleted credentials.

Remediation Steps

Core principle: Never deploy source code, version control directories, or development artifacts to production web servers; configure web servers to deny access to sensitive file types and directories.

Remove Version Control Directories

# Delete from webroot
find /var/www -name ".git" -type d -exec rm -rf {} +
find /var/www -name ".svn" -type d -exec rm -rf {} +
find /var/www -name ".hg" -type d -exec rm -rf {} +

Configure Web Server to Block Source Files

Apache:

# Block access to version control and config files
<DirectoryMatch "^/.*/\.(git|svn|hg)/">
    Require all denied
</DirectoryMatch>

<FilesMatch "\.(env|config|bak|old|swp|tmp)$">
    Require all denied
</FilesMatch>

Nginx:

# Deny access to hidden files and directories
location ~ /\. {
    deny all;
}

# Deny access to specific file types
location ~* \.(env|git|svn|config|bak|old|swp)$ {
    deny all;
}

Remove Backup and Temporary Files

# Clean up before deployment
find . -name "*.bak" -delete
find . -name "*~" -delete
find . -name "*.swp" -delete
find . -name ".DS_Store" -delete

Use Proper Deployment Process

• Deploy only compiled/built artifacts, not source
• Use .gitignore to prevent committing .env files
• Build process should exclude development files
• Container images should use multi-stage builds

Example Docker multi-stage build:

# Build stage
FROM node:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build

# Production stage - only compiled artifacts
FROM node:18-slim
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
CMD ["node", "dist/server.js"]

Remove Sensitive Comments

// VULNERABLE - sensitive info in comments
// TODO: Remove hardcoded admin password: "SuperSecret123!"
// Database: mysql://admin:P@ssw0rd@db.internal.com/myapp

// SECURE - remove before commit
// Use git pre-commit hooks to detect secrets

Implement Pre-Commit Hooks

# .git/hooks/pre-commit
#!/bin/bash

# Detect secrets in commits
git-secrets --scan

# Prevent committing common secret files
if git diff --cached --name-only | grep -E '\.env$|\.config$'; then
    echo "Error: Attempting to commit secret files"
    exit 1
fi

Monitor for Exposed Files

Regularly scan for: - /.git/config - /.env - /config.php - /web.config - /composer.json - /package.json

Dynamic Scan Guidance

For guidance on remediating this CWE when detected by dynamic (DAST) scanners:

• Dynamic Scan Guidance - Analyzing DAST findings and mapping to source code

Additional Resources

• CWE-530: Exposure of Backup File to an Unauthorized Control Sphere
• OWASP Source Code Disclosure
• git-secrets