Skip to content

Security

Jump to bottom
github-actions[bot] edited this page Mar 22, 2026 · 20 revisions

Security

The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.

Function Blocklist

By default, these MATLAB functions are blocked:

Function Risk
system() Execute arbitrary OS commands
unix() Execute Unix commands
dos() Execute DOS/Windows commands
! Shell escape operator
eval() Execute arbitrary string as code
feval() Call function by name string
evalc() Evaluate and capture output
evalin() Evaluate in caller/base workspace
assignin() Assign variable in caller/base workspace
perl() Execute Perl scripts
python() Execute Python scripts

Smart Scanning

The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:

% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great')    % "system" inside a string
% system('ls')                            % "system" inside a comment
msg = "unix-based systems";              % "unix" inside a string

% This WILL be blocked:
system('rm -rf /')                       % Actual system() call

String and Comment Stripping

The validator processes each line in order:

  1. Remove double-quoted strings "..."
  2. Remove single-quoted strings '...' (MATLAB char arrays)
    • A quote preceded by [a-zA-Z0-9_)] is treated as a transpose operator, not a string delimiter
  3. Remove MATLAB comments (% to end of line)

This is a best-effort heuristic that handles common cases without requiring a full MATLAB parser.

Customizing the Blocklist

security:
  blocked_functions_enabled: true  # Set false to disable entirely
  blocked_functions:               # These are the defaults:
    - "system"
    - "unix"
    - "dos"
    - "!"
    - "eval"
    - "feval"
    - "evalc"
    - "evalin"
    - "assignin"
    - "perl"
    - "python"

Filename Sanitization

Upload filenames are validated against a strict allowlist to prevent path traversal and injection attacks:

  • Allowed characters: [a-zA-Z0-9._-] only
  • Path traversal prevention: Filenames containing .. are rejected
  • Empty filenames: Rejected
  • Basename only: Directory separators are not allowed

Example rejections:

  • ../../etc/passwd — contains ..
  • file name.txt — contains space
  • script;rm -rf / — contains ;
  • Empty string — must have a name

Upload Size Limits

  • Default limit: 100 MB
  • Configurable: Set max_upload_size_mb in the security config
security:
  max_upload_size_mb: 100

Files exceeding this limit are rejected before upload completes.

Workspace Isolation

When workspace_isolation: true (default), the server runs these cleanup commands between sessions:

clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;

This ensures one user's variables, functions, and file handles don't leak to another user. Each session starts with a clean workspace.

SSE Transport Security

When using SSE transport for multi-user deployments:

  1. Set require_proxy_auth: true in config — this is a flag that acknowledges you've set up proper authentication
  2. Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
  3. Do NOT expose the SSE port directly to the internet
  4. Bind to localhost only for SSE transport
security:
  require_proxy_auth: true  # Suppresses the security warning

server:
  transport: "sse"
  host: "127.0.0.1"        # Bind to localhost only
  port: 8765

The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.

Session Cleanup

  • Session timeout: Sessions expire after session_timeout seconds of inactivity (default 3600 seconds / 1 hour)
  • Temp file cleanup: Temp files are deleted when sessions end if temp_cleanup_on_disconnect: true
  • Job metadata retention: Completed job metadata is pruned after job_retention_seconds (default 86400 seconds / 24 hours)
sessions:
  session_timeout: 3600          # seconds of inactivity
  job_retention_seconds: 86400   # seconds to keep completed job metadata

execution:
  temp_cleanup_on_disconnect: true

Recommendations

Scenario Recommendations
Personal use Default config is fine. stdio transport, basic blocklist
Team server SSE + reverse proxy + auth. Review the default blocklist for your use case. Enable code_checker if desired
Production SSE + reverse proxy + TLS + auth. require_proxy_auth: true. Review blocklist for your use case. Monitor via monitoring dashboard. Set reasonable max_execution_time and max_sessions limits

Clone this wiki locally