You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After #181 is merged there is a potential vulnerability where clients can misuse the otlp-pdata-size header that the otelarrowexporter adds to outgoing requests. This header is meant to allow the receiver to know the uncompressed size of the incoming request without doing any decompression or translation/allocations into pdata objects, so that we can have finer control over the inflight memory usage within the receiver.
However as was pointed out in #181 (comment) this header could be misused with values much larger than the actual uncompressed size and potentially block our receivers from processing any other requests. We need a method to identify clients that misuse this header and ban them from sending subsequent requests to ensure the availability of our server.
The text was updated successfully, but these errors were encountered:
After #181 is merged there is a potential vulnerability where clients can misuse the
otlp-pdata-sizeheader that the otelarrowexporter adds to outgoing requests. This header is meant to allow the receiver to know the uncompressed size of the incoming request without doing any decompression or translation/allocations into pdata objects, so that we can have finer control over the inflight memory usage within the receiver.However as was pointed out in #181 (comment) this header could be misused with values much larger than the actual uncompressed size and potentially block our receivers from processing any other requests. We need a method to identify clients that misuse this header and ban them from sending subsequent requests to ensure the availability of our server.
The text was updated successfully, but these errors were encountered: