high security risk on multi-user-systems

[jhgoebbert]

Hello,

It seems to me, as if MATLAB is started here without token/password on a local port:
https://github.com/mathworks/jupyter-matlab-proxy/blob/v0.7.1/src/jupyter_matlab_proxy/__init__.py#L46

This MATLAB server listens on that local port and executes any code in the in the name of the user who owns the MATLAB process.

jupyter-server-proxy comes with support for unix-sockets lately which would fix this security issue nicely:
jupyterhub/jupyter-server-proxy#337

[prabhakk-mw]

Hi @jhgoebbert

Thank you for your feedback!

matlab-proxy does come with its own Authentication mechanism , see token-based-authentication which was created to serve this use case.

However, we haven't extended the jupyter-matlab-proxy package to utilize that as we assumed that the security measures provided by jupyter would suffice. Clearly this is only true for single user systems, and may not extend to multi user environments.

Thank you for reporting this and sharing info about unix-sockets, we will weigh our options here and report back.

[prabhakk-mw]

Hi @jhgoebbert
Kindly let us know if v0.8.0 of jupyter-matlab-proxy, in combination with v0.8.0 of matlab-proxy fixes the concerns presented in this issue?
One can update these packages with

pip install --upgrade matlab-proxy
pip install --upgrade jupyter-matlab-proxy

[jhgoebbert]

Hello @prabhakk-mw

this are great news - thank you for your effort. I just tested it on our systems.
I also like that you made it visible in the startup information.

So for everyone who comes by this issue - this is how it looks: