mathworks / matlab-proxy

Python® package enables you to open a MATLAB® desktop in a web browser tab.
Other
47 stars 23 forks source link

high security risk on multi-user-systems #20

Closed jhgoebbert closed 1 year ago

jhgoebbert commented 1 year ago

Hello,

It seems to me, as if MATLAB is started here without token/password on a local port: https://github.com/mathworks/jupyter-matlab-proxy/blob/v0.7.1/src/jupyter_matlab_proxy/__init__.py#L46

This MATLAB server listens on that local port and executes any code in the in the name of the user who owns the MATLAB process.

jupyter-server-proxy comes with support for unix-sockets lately which would fix this security issue nicely: https://github.com/jupyterhub/jupyter-server-proxy/pull/337

jhgoebbert commented 1 year ago

I moved the issue to the correct repo: https://github.com/mathworks/jupyter-matlab-proxy/issues/63