Skip to content

limit response body size for OTLP HTTP exporters#8108

Merged
pellared merged 11 commits intoopen-telemetry:mainfrom
pellared:otlp-http-body-limit
Apr 1, 2026
Merged

limit response body size for OTLP HTTP exporters#8108
pellared merged 11 commits intoopen-telemetry:mainfrom
pellared:otlp-http-body-limit

Conversation

@pellared
Copy link
Copy Markdown
Member

@pellared pellared commented Mar 30, 2026
edited
Loading

@pellared pellared mentioned this pull request Mar 30, 2026
Merged
4 tasks
@pellared pellared marked this pull request as ready for review March 30, 2026 12:43
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 30, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.8%. Comparing base (35214b6) to head (7e2b34a).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@          Coverage Diff          @@
##            main   #8108   +/-   ##
=====================================
  Coverage   81.7%   81.8%           
=====================================
  Files        308     308           
  Lines      23691   23709   +18     
=====================================
+ Hits       19374   19399   +25     
+ Misses      3934    3932    -2     
+ Partials     383     378    -5
Files with missing lines Coverage Δ
exporters/otlp/otlplog/otlploghttp/client.go 85.7% <100.0%> (+2.2%) ⬆️
exporters/otlp/otlpmetric/otlpmetrichttp/client.go 83.5% <100.0%> (+1.8%) ⬆️
exporters/otlp/otlptrace/otlptracehttp/client.go 78.8% <100.0%> (+1.6%) ⬆️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@1seal
Copy link
Copy Markdown

1seal commented Mar 30, 2026

ptal done.

this matches the issue i reported: response-body reads for diagnostics are now bounded instead of copied unbounded into memory. please just ensure tests cover success + error paths, including chunked and gzip responses, across trace/metric/log exporters.

from my side, this looks like the right fix.

@pellared
Copy link
Copy Markdown
Member Author

pellared commented Mar 31, 2026

@1seal,

ptal done.

Thanks!

including chunked and gzip responses

I checked it already. The http.Client automatically handles gzip decompression as well as handles chunked transfer encoding transparently.

@pellared pellared merged commit 5e363de into open-telemetry:main Apr 1, 2026
32 checks passed
@pellared pellared added this to the v1.43.0 milestone Apr 1, 2026
@dmathieu dmathieu mentioned this pull request Apr 2, 2026
Merged
dmathieu added a commit that referenced this pull request Apr 3, 2026
@dmathieu @MrAlias
Release v1.43.0 / v0.65.0 / v0.19.0 (#8128)
9276201 
Release issue:
#8127

## Added

- Add `IsRandom` and `WithRandom` on `TraceFlags`, and `IsRandom` on
`SpanContext` in `go.opentelemetry.io/otel/trace`
for [W3C Trace Context Level 2 Random Trace ID
Flag](https://www.w3.org/TR/trace-context-2/#random-trace-id-flag)
support. (#8012)
- Add service detection with `WithService` in
`go.opentelemetry.io/otel/sdk/resource`. (#7642)
- Add `DefaultWithContext` and `EnvironmentWithContext` in
`go.opentelemetry.io/otel/sdk/resource` to support plumbing
`context.Context` through default and environment detectors. (#8051)
- Support attributes with empty value (`attribute.EMPTY`) in
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`.
(#8038)
- Support attributes with empty value (`attribute.EMPTY`) in
`go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc`.
(#8038)
- Support attributes with empty value (`attribute.EMPTY`) in
`go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc`. (#8038)
- Support attributes with empty value (`attribute.EMPTY`) in
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`.
(#8038)
- Support attributes with empty value (`attribute.EMPTY`) in
`go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`.
(#8038)
- Support attributes with empty value (`attribute.EMPTY`) in
`go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. (#8038)
- Support attributes with empty value (`attribute.EMPTY`) in
`go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. (#8038)
- Add support for per-series start time tracking for cumulative metrics
in `go.opentelemetry.io/otel/sdk/metric`.
  Set `OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true` to enable. (#8060)
- Add `WithCardinalityLimitSelector` for metric reader for configuring
cardinality limits specific to the instrument kind. (#7855)

## Changed

- Introduce the `EMPTY` Type in `go.opentelemetry.io/otel/attribute` to
reflect that an empty value is now a valid value, with `INVALID`
remaining as a deprecated alias of `EMPTY`. (#8038)
- Refactor slice handling in `go.opentelemetry.io/otel/attribute` to
optimize short slice values with fixed-size fast paths. (#8039)
- Improve performance of span metric recording in
`go.opentelemetry.io/otel/sdk/trace` by returning early if
self-observability is not enabled. (#8067)
- Improve formatting of metric data diffs in
`go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. (#8073)

## Deprecated

- Deprecate `INVALID` in `go.opentelemetry.io/otel/attribute`. Use
`EMPTY` instead. (#8038)

## Fixed

- Return spec-compliant `TraceIdRatioBased` description. This is a
breaking behavioral change, but it is necessary to
make the implementation
[spec-compliant](https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased).
(#8027)
- Fix a race condition in `go.opentelemetry.io/otel/sdk/metric` where
the lastvalue aggregation could collect the value 0 even when no
zero-value measurements were recorded. (#8056)
- Limit HTTP response body to 4 MiB in
`go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` to
mitigate excessive memory usage caused by a misconfigured or malicious
server.
Responses exceeding the limit are treated as non-retryable errors.
(#8108)
- Limit HTTP response body to 4 MiB in
`go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` to
mitigate excessive memory usage caused by a misconfigured or malicious
server.
Responses exceeding the limit are treated as non-retryable errors.
(#8108)
- Limit HTTP response body to 4 MiB in
`go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to
mitigate excessive memory usage caused by a misconfigured or malicious
server.
Responses exceeding the limit are treated as non-retryable errors.
(#8108)
- `WithHostID` detector in `go.opentelemetry.io/otel/sdk/resource` to
use full path for `kenv` command on BSD. (#8113)
- Fix missing `request.GetBody` in
`go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to
correctly handle HTTP2 GOAWAY frame. (#8096)

---------

Co-authored-by: Tyler Yahn <MrAlias@users.noreply.github.com>
@claude claude bot mentioned this pull request Apr 8, 2026
Merged
This was referenced Apr 9, 2026
Merged
Merged
This was referenced Apr 9, 2026
Merged
Merged
Merged
Merged
Merged
Copilot AI mentioned this pull request Apr 9, 2026
Open
This was referenced Apr 10, 2026
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmathieu dmathieu dmathieu approved these changes

@XSAM XSAM XSAM approved these changes

@MrAlias MrAlias Awaiting requested review from MrAlias MrAlias is a code owner

@dashpole dashpole Awaiting requested review from dashpole dashpole is a code owner

@flc1125 flc1125 Awaiting requested review from flc1125 flc1125 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

4 participants

@pellared @1seal @dmathieu @XSAM