Skip to content

Security

Jump to bottom
github-actions[bot] edited this page Mar 22, 2026 · 20 revisions

Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function Risk
system() Execute arbitrary OS commands
unix() Execute Unix commands
dos() Execute DOS/Windows commands
! Shell escape operator
eval() Execute arbitrary string as code
feval() Call function by name string
evalc() Evaluate and capture output
evalin() Evaluate in caller/base workspace
assignin() Assign variable in caller/base workspace
perl() Execute Perl scripts
python() Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

String Literal Processing

The validator removes literals in this order per line:

  1. Double-quoted strings ("...")
  2. Single-quoted strings ('...') — MATLAB character arrays
    • A quote preceded by [a-zA-Z0-9_)] is treated as a transpose operator, not a string delimiter
  3. MATLAB comments (% to end of line)

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:               # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"

Filename Sanitization

Uploaded filenames are validated to prevent path traversal and injection attacks:

  • Character whitelist: Only [a-zA-Z0-9._-] are allowed
  • Path traversal protection: Filenames containing .. are rejected
  • Basename only: Directory separators are not permitted

Examples:

✓ SAFE:     report.pdf, data_2024.csv, config-v1.2.yaml
✗ BLOCKED:  ../etc/passwd (path traversal)
✗ BLOCKED:  file;rm.txt (invalid character)
✗ BLOCKED:  (empty string)

Upload Protection

  • Size limit: Configurable via max_upload_size_mb (default 100 MB)
  • Filename sanitization: As described above
  • Temp directory isolation: Files are uploaded to session-specific temp directories under execution.temp_dir
  • Automatic cleanup: Files are deleted when sessions end if execution.temp_cleanup_on_disconnect: true

Workspace Isolation

When execution.workspace_isolation: true (default), the server runs these commands between sessions:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user. Workspace state is reset after each job execution unless engine_affinity: true (which pins a session to an engine for workspace persistence across jobs).

Proxy Authentication

When using SSE transport for multi-user or internet-facing deployments:

  1. Set require_proxy_auth: true in config — this flag acknowledges you've set up proper authentication
  2. Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
  3. Do NOT expose the SSE port directly to the internet
security:
  require_proxy_auth: true  # Suppresses the security warning

server:
  transport: "sse"
  host: "127.0.0.1"  # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session Cleanup

  • Sessions expire after sessions.session_timeout seconds of inactivity (default 1 hour)
  • Temp files are deleted when sessions end (execution.temp_cleanup_on_disconnect: true)
  • Completed job metadata is pruned after sessions.job_retention_seconds (default 24 hours)
  • Maximum concurrent sessions limited by sessions.max_sessions (default 50)

Code Checking

Optional static analysis of MATLAB code before execution:

  • Enable via config: code_checker.enabled: true
  • Auto-check: Set code_checker.auto_check_before_execute: true to block execution if issues found
  • Severity levels: Configure which severity levels (error, warning) to report

Recommendations

Scenario Recommendations
Personal use Default config is fine. stdio transport, standard blocklist
Team server SSE + reverse proxy + auth. Review the default blocklist for your use case. Enable workspace isolation.
Production SSE + reverse proxy + TLS + auth. require_proxy_auth: true. Review and customize blocklist. Enable code checking. Adjust max_upload_size_mb based on expected workloads. Set appropriate max_execution_time. Monitor via the metrics dashboard.

Clone this wiki locally