Skip to content

Security

Jump to bottom
github-actions[bot] edited this page Mar 18, 2026 · 20 revisions

Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function Risk
system() Execute arbitrary OS commands
unix() Execute Unix commands
dos() Execute DOS/Windows commands
! Shell escape operator
eval() Execute arbitrary string as code
feval() Call function by name string
evalc() Evaluate and capture output
evalin() Evaluate in caller/base workspace
assignin() Assign variable in caller/base workspace
perl() Execute Perl scripts
python() Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

The scanner processes each line in order:

  1. Removes double-quoted strings ("...")
  2. Removes single-quoted strings ('...'), except when the quote is a transpose operator (preceded by [a-zA-Z0-9_)])
  3. Removes MATLAB comments (from % to end of line)

After sanitization, the code is checked for both function call syntax (func() and command syntax (;func arg).

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:               # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"

Filename Sanitization

Uploaded filenames are validated against these rules:

  • Empty check: Filenames must not be empty
  • Path traversal: Rejects .. sequences to prevent directory traversal attacks (e.g., ../../etc/passwd)
  • Character whitelist: Only characters in [a-zA-Z0-9._-] are allowed

Examples:

✓ data.csv
✓ my-file_v2.txt
✗ ../secret.m          (path traversal)
✗ file@#$.txt          (invalid characters)
✗ (empty string)       (empty filename)

Upload Size Limits

  • Size limit: Configurable via max_upload_size_mb (default 100MB)
  • Temp directory isolation: Files are uploaded to session-specific temp directories under temp_dir (default ./temp)

Workspace Isolation

When workspace_isolation: true (default), the server runs these commands between sessions:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user. Default paths and startup commands (from workspace.default_paths and workspace.startup_commands) are then reapplied.

SSE Transport Security

When using SSE transport for multi-user deployments:

  1. Set require_proxy_auth: true in config — this is a flag that acknowledges you've set up proper authentication
  2. Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
  3. Do NOT expose the SSE port directly to the internet
security:
  require_proxy_auth: true  # Suppresses the security warning

server:
  transport: "sse"
  host: "127.0.0.1"  # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session Cleanup

  • Session timeout: Sessions expire after session_timeout seconds of inactivity (default 3600 seconds / 1 hour)
  • Temp file cleanup: Completed temp files are deleted when sessions end (temp_cleanup_on_disconnect: true)
  • Job metadata retention: Completed job metadata is pruned after job_retention_seconds (default 86400 seconds / 24 hours)
  • Max concurrent sessions: Limited to max_sessions (default 50) to prevent resource exhaustion

Security Event Collection

When a blocked function or construct is detected, the violation is logged and recorded via the event collector (if enabled) with the function name for audit/monitoring purposes.

Recommendations

Scenario Recommendations
Personal use Default config is fine. stdio transport, basic blocklist
Team server SSE + reverse proxy + auth. Review the default blocklist for your use case. Enable workspace_isolation: true (default)
Production SSE + reverse proxy + TLS + auth. require_proxy_auth: true. Review blocklist for your use case. Enable workspace_isolation: true and monitor security events

Clone this wiki locally