MA
MATLAB Security
MATLAB security practices for safe file handling, eval avoidance, and external command execution
Details
Language / Topic
MATLABCategory
Security
Rules
balanced
- Never use `eval(userInput)` or `feval(userFunctionName)` with externally supplied strings — they execute arbitrary MATLAB code as the current user.
- Validate file paths before passing to `load`, `fopen`, or `system` — use `fullfile` and `exist(path, 'file')` to verify the path resolves to an expected location.
- Do not hardcode credentials, API keys, or connection strings in `.m` files — read them from environment variables or a secrets file excluded from version control.
- Use `fopen(path, 'r')` with an explicit mode and check the returned file descriptor (`fd ~= -1`) before reading — never assume `fopen` succeeds.
- Sanitize inputs to `system()` calls by building argument lists programmatically rather than concatenating user input into a shell command string.
- Restrict `load` to `.mat` files you control — loading untrusted `.mat` files can execute embedded class constructors and custom `loadobj` methods.
- Use MATLAB's `setpref`/`getpref` or encrypted credential files rather than storing passwords in `MAT` files or workspace variables.