After https://github.com/open-telemetry/otel-arrow/pull/181 is merged there is a potential vulnerability where clients can misuse the otlp-pdata-size header that the otelarrowexporter adds to outgoing requests. This header is meant to allow the receiver to know the uncompressed size of the incoming request without doing any decompression or translation/allocations into pdata objects, so that we can have finer control over the inflight memory usage within the receiver.
However as was pointed out in https://github.com/open-telemetry/otel-arrow/pull/181#discussion_r1593422695 this header could be misused with values much larger than the actual uncompressed size and potentially block our receivers from processing any other requests. We need a method to identify clients that misuse this header and ban them from sending subsequent requests to ensure the availability of our server.
After https://github.com/open-telemetry/otel-arrow/pull/181 is merged there is a potential vulnerability where clients can misuse the
otlp-pdata-sizeheader that the otelarrowexporter adds to outgoing requests. This header is meant to allow the receiver to know the uncompressed size of the incoming request without doing any decompression or translation/allocations into pdata objects, so that we can have finer control over the inflight memory usage within the receiver.However as was pointed out in https://github.com/open-telemetry/otel-arrow/pull/181#discussion_r1593422695 this header could be misused with values much larger than the actual uncompressed size and potentially block our receivers from processing any other requests. We need a method to identify clients that misuse this header and ban them from sending subsequent requests to ensure the availability of our server.