security vulnerability - being able to see your PHP FILE CODE?

so i recieved an email - from someone who seems a good/ethical hacker..

he has given screenshot of the code (Controller file) he could see.. 

so i joined the company who were using CI3... I am not a hacker or have that expertise so have been looking at access logs to see any funny urls being accessed and i found few but when i pasted them in the browser it was all ok i got a forbidden error..

I have also looked at the CI3 vulnerability lists/exploits but there wasnt an example of how the exploit works (I found two related to my problem ie viewing php files)... not sure what the next steps are?

the enable query config is set to false..

in the access log the one funky url i found is this:
"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1"

but i tried it by adding it to end of my domain but no luck..

SO one thing i found was .git folder was accessible.. not sure if that is what it was? so if anyone still knows of a way to see php code via CI3 ie domain.com/index.php?sss....
so i can be sure