Skip to content

Security

Jump to bottom
github-actions[bot] edited this page Mar 18, 2026 · 20 revisions

Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function Risk
system() Execute arbitrary OS commands
unix() Execute Unix commands
dos() Execute DOS/Windows commands
! Shell escape operator
eval() Execute arbitrary string as code
feval() Call function by name string
evalc() Evaluate and capture output
evalin() Evaluate in caller/base workspace
assignin() Assign variable in caller/base workspace
perl() Execute Perl scripts
python() Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

The validator processes each line in order:

  1. Removes double-quoted strings "..."
  2. Removes single-quoted strings '...' (MATLAB char arrays) — note that quotes preceded by [a-zA-Z0-9_)] are treated as transpose operators, not string delimiters
  3. Removes MATLAB comments (% to end of line)

After sanitization, the validator checks for blocked function calls using pattern matching:

  • Function call syntax: function_name(
  • Command syntax: ; or start of line followed by function_name and whitespace

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:               # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"

Filename Sanitization

Uploaded files are validated with the following rules:

  • Empty filenames are rejected
  • Path traversal (e.g., ../../etc/passwd) is rejected
  • Characters must be in the set [a-zA-Z0-9._-] only
  • Basename only — no directory separators allowed

If validation fails, a ValueError is raised with a descriptive message. Valid filenames are returned unchanged.

Upload Protection

  • Size limit: Configurable via max_upload_size_mb (default 100MB)
  • Filename sanitization: Applied as described above
  • Temp directory isolation: Files are uploaded to session-specific temp directories under temp_dir (default ./temp)
  • Cleanup: Temp files are deleted when sessions end if temp_cleanup_on_disconnect: true (default)

Workspace Isolation

When workspace_isolation: true (default), the server runs these commands between sessions:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user.

Note: If engine_affinity: true, a session is pinned to a specific engine for persistent workspace state across multiple requests.

SSE Transport Security

When using SSE transport for multi-user deployments:

  1. Set require_proxy_auth: true in config — this acknowledges you've set up proper authentication
  2. Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
  3. Do NOT expose the SSE port directly to the internet
  4. Bind to localhost only with host: "127.0.0.1" if running on a shared machine
security:
  require_proxy_auth: true  # Suppresses the security warning

server:
  transport: "sse"
  host: "127.0.0.1"  # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session Cleanup

  • Sessions expire after session_timeout seconds of inactivity (default 3600 seconds / 1 hour)
  • Temp files are deleted when sessions end if temp_cleanup_on_disconnect: true (default)
  • Completed job metadata is pruned after job_retention_seconds (default 86400 seconds / 24 hours)
  • Maximum concurrent sessions is capped at max_sessions (default 50)

Code Checking

When code_checker.enabled: true, the server can optionally validate code before execution if auto_check_before_execute: true. This provides warnings and errors at the specified severity levels before MATLAB execution begins.

Recommendations

Scenario Recommendations
Personal use Default config is fine. stdio transport, basic blocklist, workspace isolation enabled
Team server SSE + reverse proxy + auth. require_proxy_auth: true. Review the default blocklist and max_sessions for your use case
Production SSE + reverse proxy + TLS + auth. require_proxy_auth: true. Review and customize blocklist. Enable code checker. Monitor with dashboard. Set appropriate max_execution_time and session_timeout

Clone this wiki locally