In this video we go over the Eval function in matlab, and discuss what it's for and why it's really insecure. The video is intended for educational purposes only - please be kind to each others code!
Thanks so much! I like your username by the way. The video doesn't cover everything I would want it to, but I thought this was the easiest thing to make the point with. I would say a bigger practical issue is actually that I can't debug eval statements so easily. When you debug code, you go and look at what line of code is crashed on. But with eval, that line of code is in a variable - a variable that might not exist anymore if it is running a live system. The line of code could also be very complicated, depending on how the eval is being used. The security stuff though I think illustrates why this command is fundamentally broken. Glad you enjoyed :)
@@CodingLikeMad Yeah that makes sense. All scripts and functions that I've made have been on the shorter side as I'm a biologist (At least once I turn in my thesis I am, hah) and I am "just" using matlab to automate data analysis, and since my scripts are never long they're generally easy to debug. :)
This is almost exactly the case I am most worried about actually. User context matters a lot here. If you are using a web interface to supply those strings to be evaluated, that's a big risk. If it's just you, or just a small group of trusted coworkers, that's less concerning. If the feature is required, you cant find an alternative method, and the audience potentially includes a malicious actor, I would treat this the same way I would an sql enabled web server. This includes first and foremost cleaning the inputs of all symbols that are potentially malicious. Because () are on that list, you have a pretty big problem though. I would then consider layered security, making sure the matlab instance does not have privileges on the machine it should not have, making sure that sensitive data is not available on the machine if possible, and potentially encapsulating it in a virtual machine. I can't give great advise here though, I'm very much not an expert in this type of thing, and if I had a good solution I would have offered it. You will need to do your own research on this one, I am unable to provide a good solution via comment here because it is such a hard problem.
![One Matlab Command You Should Never Use - Why The Eval Command Is Awful [Matlab Rants]](/img/logo.svg){kind=logo}
