Skip to content

docs: add response body size limitation#781

Open
pellared wants to merge 9 commits intoopen-telemetry:mainfrom
pellared:limit-body
Open

docs: add response body size limitation#781
pellared wants to merge 9 commits intoopen-telemetry:mainfrom
pellared:limit-body

Conversation

@pellared
Copy link
Copy Markdown
Member

@pellared pellared commented Mar 30, 2026
edited
Loading

@pellared pellared changed the title spec: add response body size limitation to mitigate memory usage risks docs: add response body size limitation to mitigate memory usage risks Mar 30, 2026
@pellared pellared changed the title docs: add response body size limitation to mitigate memory usage risks docs: add response body size limitation Mar 30, 2026
@pellared pellared requested a review from Copilot March 30, 2026 11:45
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a specification requirement for clients to cap OTLP response parsing size (including post-decompression) to mitigate excessive memory usage risks (CWE-789).

Changes:

  • Add normative guidance to limit OTLP/gRPC response parsing size (recommended 32 KiB) and treat oversize responses as non-retryable.
  • Add the same response-size-limiting guidance to OTLP/HTTP responses.
  • Document the change in the Unreleased changelog.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
docs/specification.md Adds client-side response size limit requirements for both gRPC and HTTP OTLP responses.
CHANGELOG.md Notes the documentation/spec update in the Unreleased section.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pellared pellared requested a review from Copilot March 30, 2026 12:06
@pellared
Copy link
Copy Markdown
Member Author

pellared commented Mar 30, 2026

Do we also want to have something like (as a separate PR):

The server MUST limit the size of the request body when parsing it, including
after decompression, to mitigate possible excessive memory usage caused by a misconfigured or malicious client. It is RECOMMENDED to limit the request body to 64 MiB.

Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pellared pellared marked this pull request as ready for review March 30, 2026 12:09
@pellared pellared mentioned this pull request Mar 30, 2026
Open
martincostello added a commit to martincostello/opentelemetry-dotnet that referenced this pull request Mar 30, 2026
@martincostello
[OTLP] Limit response body size read by exporters
18b5811 
Limit the length of the HTTP response body that is read if export fails for gRPC or HTTP.

See open-telemetry/opentelemetry-proto#781.
@martincostello martincostello mentioned this pull request Mar 30, 2026
Open
4 tasks
arminru
arminru reviewed Mar 30, 2026
View reviewed changes
@pellared pellared requested a review from arminru March 30, 2026 14:38
yurishkuro
yurishkuro reviewed Mar 30, 2026
View reviewed changes
@pellared pellared requested a review from yurishkuro March 30, 2026 14:48
yurishkuro
yurishkuro reviewed Mar 30, 2026
View reviewed changes
@pellared pellared requested a review from yurishkuro March 30, 2026 16:11
@tigrannajaryan
Copy link
Copy Markdown
Member

tigrannajaryan commented Mar 30, 2026

For consistency we also need to mention request size limitation enforcement for servers.

@tigrannajaryan
Copy link
Copy Markdown
Member

tigrannajaryan commented Mar 30, 2026

@pellared can you open issues in all other language SDKs to get this applied?

AFAIK, Collector already enforces limits.

jack-berg
jack-berg reviewed Mar 30, 2026
View reviewed changes
@pellared
Copy link
Copy Markdown
Member Author

pellared commented Mar 30, 2026
edited
Loading

For consistency we also need to mention request size limitation enforcement for servers.

@tigrannajaryan, see #781 (comment)

I am going to create a separate PR tomorrow. Added as a follow-up in PR description.

@pellared
Copy link
Copy Markdown
Member Author

pellared commented Mar 30, 2026

@pellared can you open issues in all other language SDKs to get this applied?

AFAIK, Collector already enforces limits.

@tigrannajaryan, I can do it once this PR is merged. Added as a follow-up in PR description.

@pellared
Copy link
Copy Markdown
Member Author

pellared commented Mar 31, 2026
edited
Loading

Do we also want to add some requirement that the server should not respond with content bigger than 4MB? Added as a follow-up in PR description as I do not want to scope creep this PR (also it has already a good amount of approvals).

@pellared pellared mentioned this pull request Mar 31, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@arminru arminru arminru approved these changes

@jack-berg jack-berg jack-berg approved these changes

+5 more reviewers

@dmathieu dmathieu dmathieu approved these changes

@martincostello martincostello martincostello approved these changes

@yurishkuro yurishkuro yurishkuro approved these changes

@Kielek Kielek Kielek approved these changes

@XSAM XSAM XSAM approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@pellared @tigrannajaryan @dmathieu @martincostello @yurishkuro @Kielek @arminru @XSAM @jack-berg