794de6864a
## Problem Django validates file content type by reading "magic bytes" from the start of the file. It doesn't then check that file really is the type it claims to be. https://docs.djangoproject.com/en/4.1/topics/security/#user-uploaded-content That's not good enough for rock and roll. And would allow an attacker to attempt to upload HTML with magic bytes that pretend to be an image file. We would store that and then serve it back to a dashboard. ☠️ See more at https://trailofbits.github.io/ctf/forensics/ ## Changes On upload use the [Pillow image library](https://github.com/python-pillow/Pillow) to open the file and transpose it. The image must be valid to be successfully transposed. ## How did you test this code? * Adding a valid image file and seeing the developer tests still run * Adding a file handcrafted to start with gif magic bytes but not actually be a gif and seeing validation fail * Uploading an image to a dashboard and seeing it still work |
||
---|---|---|
.devcontainer | ||
.github | ||
.husky | ||
.run | ||
.storybook | ||
.vscode | ||
bin | ||
cypress | ||
docker/clickhouse | ||
ee | ||
frontend | ||
plugin-server | ||
posthog | ||
share | ||
staticfiles | ||
.all-contributorsrc | ||
.coveragerc | ||
.deepsource.toml | ||
.dockerignore | ||
.environment | ||
.eslintrc.js | ||
.flake8 | ||
.gitattributes | ||
.gitignore | ||
.kearc | ||
.prettierignore | ||
.prettierrc | ||
.test_durations | ||
babel.config.js | ||
CHANGELOG.md | ||
CODE_OF_CONDUCT.md | ||
codecov.yml | ||
CONTRIBUTING.md | ||
cypress.e2e.config.ts | ||
depot.json | ||
docker-compose.dev.yml | ||
docker-compose.hobby.yml | ||
Dockerfile | ||
Dockerfile.cloud | ||
gunicorn.config.py | ||
jest.config.ts | ||
jest.setup.ts | ||
latest_migrations.manifest | ||
LICENSE | ||
manage.py | ||
mypy.ini | ||
package.json | ||
postcss.config.js | ||
Procfile | ||
production.Dockerfile | ||
pyproject.toml | ||
pytest.ini | ||
README.md | ||
requirements-dev.in | ||
requirements-dev.txt | ||
requirements.in | ||
requirements.txt | ||
runtime.txt | ||
SECURITY.md | ||
tailwind.config.js | ||
tsconfig.json | ||
versions.json | ||
webpack.config.js | ||
yarn.lock |
PostHog is an open-source product analytics suite, built for engineers
- Automatically track every event on your website or app
- Understand your users and how to improve your product
- Deploy on your own infrastructure to keep control of your data.
Get started for free
Option 1: Hobby instance one-line-deploy
For <100K events ingested monthly on Linux with Docker (recommended 4GB memory):
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/posthog/posthog/HEAD/bin/deploy-hobby)"
Option 2: Production instance on your infrastructure
Follow our Scaleable Self-Hosting Guide for all major cloud service providers and on-premise deploys
Option 3: If you don't need to self-host
Sign up for a free PostHog Cloud project
Features
We bring all the tools into one place to give you everything you need to build better products:
- Event-based Analytics on users or groups - capture your product's usage data to see which users are doing what in your application
- Product data visualizations graphs, funnels, cohorts, paths, retention, and dashboards
- Complete control over your data - host it yourself on any infrastructure
- Session recording to watch videos of your users' behavior, with fine-grained privacy controls
- Automatically capture clicks and pageviews to analyze what your users are doing without pushing events manually
- Feature flags to understand the impact of new features before rolling them out more widely
- Heatmaps to understand how users interact with your product with the PostHog Toolbar
- Automated Analysis to find correlations between successful users and their behaviors or attributes
- Plays nicely with data warehouses import events or user data from your warehouse by writing a simple transformation plugin, and export data with pre-built plugins - such as BigQuery, Redshift, Snowflake and S3
- Infinitely extensible use custom plugins to extend PostHog and integrate with any service or tool
- Ready-made libraries for JS, Python, Ruby, Node, Go, Android, iOS, PHP, Flutter, React Native, Elixir, Nim + an API for anything else
- And much much more... for a full list of PostHog features.
Event autocapture
You don't have to spend weeks instrumenting every event on your front-end, point and click at elements from your browser and turn them into events which you and your team can analyze
Getting the most of PostHog
See PostHog Docs for in-depth walk-throughs on functionality.
Join our Slack community if you need help, want to chat, or are thinking of a new feature. We're here to help - and to make PostHog even better.
Philosophy
We help you understand user behavior and build better products without losing control of your data.
In our view, third-party analytics tools do not work in a world of cookie deprecation, GDPR, HIPAA, CCPA, and many other four-letter acronyms. PostHog is the alternative to sending all of your customers' personal information and usage data to third-parties.
PostHog is designed to give you every tool you need to understand user behavior, create hypothesis and release changes to make your product more successful.
What's cool about this?
PostHog is the only product-focused open-source analytics suite, with an event, user and group architecture that you can host in any infrastructure.
We are an open-source alternative to products such as Mixpanel, Amplitude, Heap, HotJar, Pendo or Full Story. We're designed to be more developer-friendly, with the broadest range of features like session recording, heatmaps, feature flags, and plugins.
We play nicely with data warehouses and other services - you can import event or user data by writing a plugin to create transformations, or you can export data by using our existing data exports to BigQuery, Redshift, Snowflake, etc. All without losing control of your data.
Developing locally & Contributing
See our Docs for instructions on developing PostHog locally.
We <3 contributions big or small, check out our guide on how to get started.
Not sure where to start? Book a free, no-pressure pairing session with one of the team.
We're hiring!
Come help us make PostHog even better. We're growing fast, and would love for you to join us.
Open-source vs. paid
This repo is entirely MIT licensed, with the exception of the ee
directory (if applicable). Need absolutely 💯% FOSS? Check out our posthog-foss repository, which is purged of all proprietary code and features.
Premium features (contained in the ee
directory) require a PostHog license. Contact us at sales@posthog.com for more information, or see our pricing page.