OTLP HTTP exporter reads unbounded response bodies into memory

[lalitb]

Description

The OTLP HTTP exporter in opentelemetry-cpp appears to read the full HTTP response body into memory without a size limit.

Relevant code:

exporters/otlp/src/otlp_http_client.cc
ext/include/opentelemetry/ext/http/client/http_client.h

What looks problematic:

• the HTTP client exposes the full response body as std::vector<uint8_t>
• the OTLP HTTP handler then copies it again into a std::string

So a malicious or compromised OTLP/HTTP endpoint could return a very large response body and cause excessive memory allocation, potentially leading to OOM.

This looks similar to the issue being discussed in other OTel SDKs:

open-telemetry/opentelemetry-go GHSA-w8rr-5gcm-pp58

[johnmichaelll238-cloud]

Hi. Please I am SUPER interested in contributing to this, Please can I get assigned and work on this? I'd love to work on this

[marcalff]

Hi. Please I am SUPER interested in contributing to this, Please can I get assigned and work on this? I'd love to work on this

Thanks for your interest.

There is no need to assign issues, anyone is free -- and encouraged -- to submit contributions with a pull request (PR).

[johnmichaelll238-cloud]

Hi. Please I am SUPER interested in contributing to this, Please can I get assigned and work on this? I'd love to work on this

Thanks for your interest.

There is no need to assign issues, anyone is free -- and encouraged -- to submit contributions with a pull request (PR).

Ok, thanks. I'll try my best. I'm new to open source but this issue really piqued my interest. Thanks again!

[johnmichaelll238-cloud]

Hello, there are some things I'd like to verify please.

1. Does the HTTP client already support limits but they’re just unused?
2. Is there a config option for max response size?
   Because I suspect the real fix may be in the HTTP layer, not just OTLP.
   Another question is if it's even necessary for the exporter to read the whole body most of the time. A lot of the time "success" or "failure" is an adequate response, so I believe the best fix would be to always check the status code first and only read the body if necessary, while still enforcing a strict size limit or buffer. What do you think? Should I go about it this way or are there any improvements that can be added to my approach before I start?