-
Notifications
You must be signed in to change notification settings - Fork 0
Security
The server includes multiple security layers to prevent misuse while keeping MATLAB accessible to AI agents.
By default, these MATLAB functions are blocked:
| Function | Risk |
|---|---|
system() |
Execute arbitrary OS commands |
unix() |
Execute Unix commands |
dos() |
Execute DOS/Windows commands |
! |
Shell escape operator |
eval() |
Execute arbitrary string as code |
feval() |
Call function by name string |
evalc() |
Evaluate and capture output |
evalin() |
Evaluate in caller/base workspace |
assignin() |
Assign variable in caller/base workspace |
perl() |
Execute Perl scripts |
python() |
Execute Python scripts |
The security validator strips string literals and comments before checking for blocked functions. This prevents false positives:
% These are SAFE and will NOT trigger the blocklist:
disp('The operating system is great') % "system" inside a string
% system('ls') % "system" inside a comment
msg = "unix-based systems"; % "unix" inside a string
% This WILL be blocked:
system('rm -rf /') % Actual system() callThe validator processes each line in the following order:
- Remove double-quoted strings
"..." - Remove single-quoted strings
'...'(MATLAB char arrays)- A quote preceded by
[a-zA-Z0-9_)]is treated as a transpose operator, not a string delimiter
- A quote preceded by
- Remove MATLAB comments (
%to end of line)
This is a best-effort heuristic without a full MATLAB parser and handles the common cases reliably.
security:
blocked_functions_enabled: true # Set false to disable entirely
blocked_functions: # These are the defaults:
- "system"
- "unix"
- "dos"
- "!"
- "eval"
- "feval"
- "evalc"
- "evalin"
- "assignin"
- "perl"
- "python"When workspace_isolation: true (default), the server runs these commands between sessions:
clear all;
clear global;
clear functions;
fclose all;
restoredefaultpath;This ensures one user's variables, functions, and file handles don't leak to another user.
-
Size limit: Configurable via
max_upload_size_mb(default 100MB) -
Filename sanitization: Rejects filenames with:
- Path traversal sequences (
..) - Characters outside
[a-zA-Z0-9._-] - Empty strings
- Path traversal sequences (
- Temp directory isolation: Files are uploaded to session-specific temp directories
When using SSE transport for multi-user deployments:
-
Set
require_proxy_auth: truein config — this is a flag that acknowledges you've set up proper authentication - Put the server behind a reverse proxy (nginx, Caddy, Traefik) with authentication
- Do NOT expose the SSE port directly to the internet
security:
require_proxy_auth: true # Suppresses the security warning
server:
transport: "sse"
host: "127.0.0.1" # Bind to localhost only
port: 8765The server logs a warning at startup if SSE is enabled without require_proxy_auth: true.
-
Session timeout: Sessions expire after
session_timeoutseconds of inactivity (default 3600 seconds / 1 hour) -
Temp file cleanup: Files are deleted when sessions end (
temp_cleanup_on_disconnect: true) -
Job retention: Completed job metadata is pruned after
job_retention_seconds(default 86400 seconds / 24 hours) -
Maximum sessions: Server supports up to
max_sessionsconcurrent sessions (default 50)
The optional code checker (code_checker.enabled: true) can validate MATLAB code before execution:
-
Auto-check: Enable with
auto_check_before_execute: trueto automatically validate code before it runs - Severity levels: Filter checks by severity (error, warning)
- Independent of blocklist: The code checker is separate from the function blocklist and can be enabled/disabled independently
| Scenario | Recommendations |
|---|---|
| Personal use | Default config is fine. stdio transport, basic blocklist |
| Team server | SSE + reverse proxy + auth. Review the default blocklist for your use case. Enable workspace_isolation
|
| Production | SSE + reverse proxy + TLS + auth. require_proxy_auth: true. Review blocklist for your use case. Set max_sessions based on capacity. Enable monitoring and logging |