docs: add request body size limitation#782
docs: add request body size limitation#782pellared wants to merge 6 commits intoopen-telemetry:mainfrom
Conversation
docs/specification.md
Outdated
| The server MUST enforce a message size limit when receiving the request to | ||
| mitigate possible excessive memory usage caused by a misconfigured or malicious | ||
| server. The server implementations typically enforce a default incoming message | ||
| size limit of 4 MiB, which is acceptable to use. If the limit is exceeded, the | ||
| client MUST treat the error as not-retryable. Note that in such a scenario, | ||
| the gRPC server implementations return a `RESOURCE_EXHAUSTED` status code | ||
| to the caller. | ||
|
|
||
| The client SHOULD limit the size of the request message, including before | ||
| compression, to avoid overwhelming the server. It is RECOMMENDED to limit the | ||
| request message to 4 MiB. |
There was a problem hiding this comment.
I am worried that the value is too small for profiles. However, I wanted to use the Collector defaults for initializing the conversation. Should we change it to 20 MiB? This would also follow the pattern from #781 where we agreed on the same size for gRPC and HTTP.
CC @open-telemetry/collector-maintainers @open-telemetry/profiling-maintainers
There was a problem hiding this comment.
Pull request overview
Updates the OTLP specification documentation to define request size/body limits for OTLP/gRPC and OTLP/HTTP, aiming to reduce memory-exhaustion risk from oversized payloads.
Changes:
- Documented an OTLP/gRPC request message size limit recommendation (4 MiB) and client behavior on oversize errors.
- Documented an OTLP/HTTP request body size limit recommendation (20 MiB) and recommended HTTP 413 handling semantics.
- Added an Unreleased changelog entry for the documentation update.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| docs/specification.md | Adds normative guidance for gRPC request message size limits and HTTP request body limits. |
| CHANGELOG.md | Records the docs change in the Unreleased “Added” section. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
docs/specification.md
Outdated
| server. The server implementations typically enforce a default incoming message | ||
| size limit of 4 MiB, which is acceptable to use. If the limit is exceeded, the | ||
| client MUST treat the error as not-retryable. Note that in such a scenario, |
There was a problem hiding this comment.
In the gRPC request size-limit rationale, the actor is incorrect: excessive memory usage here would be caused by a misconfigured or malicious client sending an oversized request, not by a misconfigured/malicious server. This should be corrected to avoid confusing implementers about the threat model and responsibility.
| server. The server implementations typically enforce a default incoming message | |
| size limit of 4 MiB, which is acceptable to use. If the limit is exceeded, the | |
| client MUST treat the error as not-retryable. Note that in such a scenario, | |
| client sending an oversized request. The server implementations typically enforce | |
| a default incoming message size limit of 4 MiB, which is acceptable to use. If the | |
| limit is exceeded, the client MUST treat the error as not-retryable. Note that in |
Per #781 (comment)
Add response body size limitation to mitigate memory usage risks
Reference: https://cwe.mitre.org/data/definitions/789.html
The values are taken from otlpreceiver defaults which are