docs: add response size limitation#781
Conversation
pellared
changed the title
pellared
changed the title
There was a problem hiding this comment.
Pull request overview
Adds a specification requirement for clients to cap OTLP response parsing size (including post-decompression) to mitigate excessive memory usage risks (CWE-789).
Changes:
- Add normative guidance to limit OTLP/gRPC response parsing size (recommended 32 KiB) and treat oversize responses as non-retryable.
- Add the same response-size-limiting guidance to OTLP/HTTP responses.
- Document the change in the Unreleased changelog.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| docs/specification.md | Adds client-side response size limit requirements for both gRPC and HTTP OTLP responses. |
| CHANGELOG.md | Notes the documentation/spec update in the Unreleased section. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Do we also want to have something like (as a separate PR):
|
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Limit the length of the HTTP response body that is read if export fails for gRPC or HTTP. See open-telemetry/opentelemetry-proto#781.
|
Do we also want to add some requirement that the server should not respond with content bigger than 4MB? Added as a follow-up in PR description as I do not want to scope creep this PR (also it has already a good amount of approvals). |
pellared
changed the title
Add response body size limitation to mitigate memory usage risks
Reference: https://cwe.mitre.org/data/definitions/789.html
OTel implementations:
Follow-ups