Skip to content

Security

Jump to bottom
github-actions[bot] edited this page Mar 18, 2026 · 20 revisions

Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function Risk
system() Execute arbitrary OS commands
unix() Execute Unix commands
dos() Execute DOS/Windows commands
! Shell escape operator
eval() Execute arbitrary string as code
feval() Call function by name string
evalc() Evaluate and capture output
evalin() Evaluate in caller/base workspace
assignin() Assign variable in caller/base workspace
perl() Execute Perl scripts
python() Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

String Literal Processing

The validator processes each line in order:

  1. Remove double-quoted strings ("...")
  2. Remove single-quoted strings ('...'), except when used as a transpose operator (preceded by [a-zA-Z0-9_)])
  3. Remove MATLAB comments (% to end of line)

This approach handles the common cases without requiring a full MATLAB parser.

Shell Escape Detection

The shell escape operator ! is detected by checking if a line (after stripping whitespace) begins with !.

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:               # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"

Filename Sanitization

Uploaded files are validated to prevent security issues:

  • Path traversal protection: Filenames cannot contain .. sequences
  • Character whitelist: Only [a-zA-Z0-9._-] are allowed
  • Empty filename rejection: Filenames must not be empty

Examples:

✓ report.txt
✓ data_2024-01-15.csv
✗ ../../../etc/passwd      (path traversal)
✗ file@name.txt            (invalid character @)
✗ (empty)                  (empty filename)

Upload Protection

  • Size limit: Configurable via max_upload_size_mb (default 100MB)
  • Temp directory isolation: Files are uploaded to session-specific temp directories
  • Cleanup: Temporary files are deleted when sessions end (temp_cleanup_on_disconnect: true)

Workspace Isolation

When workspace_isolation: true (default), the server runs the following commands between sessions to prevent data leakage:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user.

Note: If engine_affinity: true, a session may remain pinned to a single engine for workspace persistence, bypassing isolation between that session's requests.

SSE Transport Security

When using SSE transport for multi-user deployments:

  1. Set require_proxy_auth: true in config — this is a flag that acknowledges you've set up proper auth
  2. Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
  3. Do NOT expose the SSE port directly to the internet
security:
  require_proxy_auth: true  # Suppresses the security warning

server:
  transport: "sse"
  host: "127.0.0.1"  # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session Cleanup

  • Sessions expire after session_timeout seconds of inactivity (default 3600 seconds / 1 hour)
  • Temp files are deleted when sessions end (temp_cleanup_on_disconnect: true)
  • Completed job metadata is pruned after job_retention_seconds (default 86400 seconds / 24 hours)
  • Maximum concurrent sessions limited by max_sessions (default 50)

Security Event Logging

Security violations (blocked functions, invalid filenames, etc.) are logged at warning level and optionally collected via an event collector. Use these logs to monitor for misuse patterns.

Recommendations

Scenario Recommendations
Personal use Default config is fine. stdio transport, basic blocklist
Team server SSE + reverse proxy + auth. Review the default blocklist for your use case. Set workspace_isolation: true.
Production SSE + reverse proxy + TLS + auth. require_proxy_auth: true. Review blocklist for your use case. Enable monitoring. Set workspace_isolation: true and engine_affinity: false.

Clone this wiki locally