Skip to content

Security

Jump to bottom
github-actions[bot] edited this page Mar 18, 2026 · 20 revisions

Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function Risk
system() Execute arbitrary OS commands
unix() Execute Unix commands
dos() Execute DOS/Windows commands
! Shell escape operator
eval() Execute arbitrary string as code
feval() Call function by name string
evalc() Evaluate and capture output
evalin() Evaluate in caller/base workspace
assignin() Assign variable in caller/base workspace
perl() Execute Perl scripts
python() Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

String literal detection handles:

  • Double-quoted strings: "..."
  • Single-quoted char arrays: '...' (but not transpose operators like A')
  • MATLAB comments: % to end of line

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:               # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"

Modify the list to add or remove functions as needed for your deployment.

Workspace Isolation

When workspace_isolation: true (default), the server runs these commands between sessions:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user.

Engine affinity: Set engine_affinity: true if you need workspace persistence across multiple calls within a single session (user-specific engine pinning). The default is false for isolation.

Upload Protection

  • Size limit: Configurable via max_upload_size_mb (default 100MB)
  • Filename sanitization: Rejects filenames with:
    • Path traversal sequences (..)
    • Characters outside [a-zA-Z0-9._-]
    • Empty strings
  • Temp directory isolation: Files are uploaded to session-specific temp directories under temp_dir (default ./temp)
  • Cleanup: Uploaded files are deleted when sessions end if temp_cleanup_on_disconnect: true (default)

Sanitization Details

The sanitize_filename() method enforces a strict allowlist:

security:
  # Filenames like "data.csv", "output_2024.txt", "file-v1.0.mat" are OK
  # Filenames like "../../etc/passwd", "file\name.txt", "file@#$.txt" are blocked

Code Checking

Static code analysis is available to detect issues before execution:

code_checker:
  enabled: true
  auto_check_before_execute: false  # Set true to check all code automatically
  severity_levels: ["error", "warning"]

When enabled, the code checker scans MATLAB code for:

  • Blocked functions (same as security blocklist)
  • Common style issues and potential errors
  • The auto_check_before_execute flag allows automatic pre-flight checks

SSE Transport Security

When using SSE transport for multi-user deployments:

  1. Set require_proxy_auth: true in config — this is a flag that acknowledges you've set up proper auth
  2. Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
  3. Do NOT expose the SSE port directly to the internet
security:
  require_proxy_auth: true  # Suppresses the security warning

server:
  transport: "sse"
  host: "127.0.0.1"  # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session and Job Cleanup

  • Session timeout: Sessions expire after session_timeout seconds of inactivity (default 3600 seconds / 1 hour)
  • Job retention: Completed job metadata is pruned after job_retention_seconds (default 86400 seconds / 24 hours)
  • Temp cleanup: Uploaded files and session temp directories are deleted when sessions end if temp_cleanup_on_disconnect: true
  • Graceful shutdown: Long-running jobs are allowed up to drain_timeout_seconds to complete before server shutdown (default 300 seconds)

Execution Limits

  • Hard execution limit: Any job that exceeds max_execution_time is terminated (default 86400 seconds / 24 hours)
  • Sync timeout: Jobs promoted to async after sync_timeout seconds without output (default 30 seconds)

Security Best Practices

Scenario Recommendations
Personal use Default config is fine. stdio transport, default blocklist
Team server SSE + reverse proxy + auth. Review the blocklist for your toolboxes. Enable code_checker.auto_check_before_execute
Production SSE + reverse proxy + TLS + auth. require_proxy_auth: true. Review blocklist. Enable code checking. Set appropriate max_execution_time and session_timeout. Monitor using the built-in monitoring/dashboard (monitoring.dashboard_enabled: true)

General Hardening

  • Keep blocklist updated: Add any dangerous functions specific to your installation
  • Restrict toolboxes: Use toolboxes.mode: "whitelist" to limit available functionality
  • Monitor execution: Enable monitoring.enabled: true and periodically review the metrics dashboard
  • Validate paths: Ensure result_dir and temp_dir are on filesystems with proper permissions
  • Log review: Monitor log_file for warnings about blocked functions or security violations
  • Custom tools: If using custom MATLAB functions, review them for security implications before adding to custom_tools.config_file

Clone this wiki locally