Skip to content

Security

Jump to bottom
github-actions[bot] edited this page Mar 22, 2026 · 20 revisions

Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function Risk
system() Execute arbitrary OS commands
unix() Execute Unix commands
dos() Execute DOS/Windows commands
! Shell escape operator
eval() Execute arbitrary string as code
feval() Call function by name string
evalc() Evaluate and capture output
evalin() Evaluate in caller/base workspace
assignin() Assign variable in caller/base workspace
perl() Execute Perl scripts
python() Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

The validator processes each line in order:

  1. Removes double-quoted strings "..."
  2. Removes single-quoted strings '...' (MATLAB char arrays)
    • A quote preceded by [a-zA-Z0-9_)] is treated as a transpose operator, not a string delimiter
  3. Removes MATLAB comments (% to end of line)

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:       # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"

Filename Sanitization

Uploaded filenames are validated to prevent path traversal and injection attacks:

  • Allowed characters: [a-zA-Z0-9._-] only
  • Path traversal blocked: Filenames containing .. are rejected
  • Empty filenames rejected: Filename must not be empty

Examples:

✓ SAFE:     data.csv, model_v2.mat, results-2024.txt
✗ BLOCKED:  ../../etc/passwd, file;rm.txt, file with spaces.dat

Upload Size Limits

  • Default limit: 100 MB per file
  • Configuration: max_upload_size_mb in config.yaml
security:
  max_upload_size_mb: 100

Files uploaded via the server are stored in session-specific temp directories, which are isolated per session.

Workspace Isolation

When workspace_isolation: true (default), the server runs these commands between sessions:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user.

SSE Transport Security

When using SSE transport for multi-user deployments:

  1. Set require_proxy_auth: true in config — this is a flag that acknowledges you've set up proper authentication
  2. Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
  3. Do NOT expose the SSE port directly to the internet
security:
  require_proxy_auth: false  # Set to true after configuring proxy auth

server:
  transport: "sse"
  host: "127.0.0.1"  # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session Cleanup

  • Sessions expire after session_timeout seconds of inactivity (default 3600 seconds / 1 hour)
  • Temp files are deleted when sessions end (temp_cleanup_on_disconnect: true)
  • Completed job metadata is pruned after job_retention_seconds (default 86400 seconds / 24 hours)

Code Checking

Optional pre-execution code analysis is available:

code_checker:
  enabled: true
  auto_check_before_execute: false  # Set true to block execution if issues found
  severity_levels: ["error", "warning"]

When enabled, the code checker performs static analysis before execution. Set auto_check_before_execute: true to automatically block code with errors or warnings.

Security Best Practices

Scenario Recommendations
Personal/local use Default config is fine. Use stdio transport, standard blocklist
Team server SSE + reverse proxy with authentication. Review the blocklist for your use case
Production SSE + reverse proxy + TLS + authentication. Set require_proxy_auth: true. Review and customize blocklist. Enable code checking (code_checker.enabled: true). Configure appropriate session timeouts and upload size limits
High-security deployments Enable workspace isolation and engine affinity for session persistence. Monitor all executed code via logs. Regularly review and update the blocklist

Clone this wiki locally