Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2022-25512Server for Team Awareness Kit (TAK) application includes sensitive tokens in the JavaScript source code.
CVE-2022-24867The LDAP password might be visible in the html code of a rendered page in an IT Asset Management tool.
CVE-2007-6197Version numbers and internal hostnames leaked in HTML comments.