Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function	Risk
`system()`	Execute arbitrary OS commands
`unix()`	Execute Unix commands
`dos()`	Execute DOS/Windows commands
`!`	Shell escape operator
`eval()`	Execute arbitrary string as code
`feval()`	Call function by name string
`evalc()`	Evaluate and capture output
`evalin()`	Evaluate in caller/base workspace
`assignin()`	Assign variable in caller/base workspace
`perl()`	Execute Perl scripts
`python()`	Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:       # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"
    - "web"               # Add more as needed

Workspace Isolation

When workspace_isolation: true (default), the server runs these commands between sessions:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user.

Upload Protection

Size limit: Configurable via max_upload_size_mb (default 100MB)
Filename sanitization: Rejects filenames with path traversal (../../etc/passwd is rejected) or characters outside [a-zA-Z0-9._-]
Temp directory isolation: Files are uploaded to session-specific temp directories

SSE Transport Security

When using SSE transport for multi-user deployments:

Set require_proxy_auth: true in config — this is a flag that acknowledges you've set up proper auth
Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
Do NOT expose the SSE port directly to the internet

security:
  require_proxy_auth: true  # Suppresses the security warning

server:
  transport: "sse"
  host: "127.0.0.1"  # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session Cleanup

Sessions expire after session_timeout seconds of inactivity (default 1 hour)
Temp files are deleted when sessions end (temp_cleanup_on_disconnect: true)
Completed job metadata is pruned after job_retention_seconds (default 24 hours)

Recommendations

Scenario	Recommendations
Personal use	Default config is fine. stdio transport, basic blocklist
Team server	SSE + reverse proxy + auth. Review the default blocklist for your use case
Production	SSE + reverse proxy + TLS + auth. `require_proxy_auth: true`. Review blocklist for your use case

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security

Security

Function Blocklist

Smart Scanning

Customizing the Blocklist

Workspace Isolation

Upload Protection

SSE Transport Security

Session Cleanup

Recommendations

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally