The source code is just a text file that sits on your computer and is totally harmless until you make the computer run it. You don’t have to run the code on the same computer you are writing it on. There is a technique called remote debugging, where the code is written on one computer but runs on another one so you can debug it (inspect what the code is doing while it is running). That other computer can be a virtual machine built from an image (a kind of template), so if it gets trashed, you can easily reset it from the template and start over fresh without losing anything. To test the ability for it to spread, you can restrict the network access of the virtual machine so the malware can spread to other virtual machines but not back to the main machine.

The malware author can put backdoors or safety mechanisms in the code so that it won’t perform harmful actions if the machine has a certain name, a certain address or file present, etc. This is sometimes how malware authors get caught because the name or address in the backdoor provides clues that lead back to the author.