[Security] MATLAB implementations use eval() on untrusted file content #245
Description
Hey @pradeeban Sir
All MATLAB functions use eval() to parse data from files:
% concore_read.m line 15
inval = eval(ins);
% concore_initval.m line 3
val = eval(simtime_val);
% concore_default_maxtime.m line 5
maxtime = eval(instr);
% concore_iport.m line 10
iport = eval(port_str);
If any data file is tampered with (e.g., in a multi-user lab, shared file system, or distributed study via the Mediator), an attacker could execute arbitrary MATLAB commands:
% Malicious content in a data file:
[system('rm -rf /'), 0, 0]
Python uses ast.literal_eval() which is specifically designed to be safe. MATLAB has str2num() or jsondecode() as safer alternatives.
Recommendation: Replace eval() with str2num() for numeric array parsing, or implement a custom safe parser that only accepts [num, num, ...] format.