Question

Exposing metamodel.JSON and other files

0

Using URL https://<<environment>>/metamodel.json exposes the datamodel of my application. It is also possible to use other filename being part of MDA. Doing so a hacker could be able to make a copy of my application. How can I prevent this from happening i.e. in stead of showing the content giving for example an error code 404.

asked 2017-12-18

Wim Wentink

4 answers

Ronald Catersels · Answer 1 · 2017-12-18

Could you not solve this with your Path based access rules?

I tried the URL but I get a 404 on these paths.

Regards,

Ronald

Jonathan Foucheaux · Answer 2 · 2019-11-03

Bumping this back up because this is an issue for me as well.

Alexander Brandt · Answer 3 · 2017-12-19

Hi. I'm the customer who has brought up this issue with Capgemini.

I think it is worth pointing out that in Mendix 6.9.1 the file metamodel.json was not included in the .mda. At least for our application. So why is it included now? It here a way to not requiring it to be included? If not, then we'll need to restrict access.

KR,

Alex

Martin Leppen · Answer 4 · 2020-03-09

I'd also like to know if anybody has an answer to this, or a suggestion on how to restrict this file from being shown.
In an audit by a specialist in application security, this situation came up as a potential (albeit low risk) security issue.
It is not a direct risk, but can increase the chance of success of other attacks with this specific kind of information.

Working with Path Based Access Restrictions is not an option I think, because /login.html and /index.html need to be accessible, and they are at the same level as /metamodel.json.