Hi, During pen-testing the metamodel.json was flagged as a finding because it was accessible by people just by using /metamodel.json as a suffix to the base URL of the app. I’ve configured /metamodel.json to be a path based access restriction rule set to Deny All Access. Unfortunately, that seems to not let people actually use the app. We end up on the login page, we put our credentials in and press Log in and then we are shown a blank screen. The Chrome Console says Access forbidden to resource 403 metamodel.json. If I remove the rule, it seems to work fine, but that does not solve the pentest finding. Has anyone encountered the same situation and knows how and if it can indeed be solved? Thanks !
Mendix has addressed this. I couldn't quite find which Mx version, but I think it is this Security Advisory. Upgrading to the mentioned versions should resolve the vulnerability.
The metamodel.json will still be accessible, but now no longer contains vulnerable/sensitive details about your domain model, entity names and microflow names. The metamodel.json needs to be accessible for Mendix to work properly (as you already found out).
So I guess upgrading to the correct Mendix version is the only solution (and explaining to the pentesters it is not a vulnerability).