# [OneCollector] Limit response body read size #4117 ## Vulnerability Overview This Pull Request fixes an issue in the `OneCollector` component where the length of the HTTP response body was not limited. When OneCollector sends telemetry data via HTTP JSON transport, an excessively large response body returned by the server could lead to memory exhaustion or denial of service. ## Impact Scope - **Component**: OneCollector exporter in OpenTelemetry .NET Contrib - **Transport Method**: HTTP JSON transport - **Risk**: Unrestricted response body size may cause application memory overflow ## Fix Solution 1. Introduced a shared helper method `TryGetResponseBodyAsString` with a default limit of 4MB 2. Updated `HttpJsonPostTransport` to use the new helper method 3. Added unit tests to verify truncation and character set/stream behavior ## Code Changes ### src/Shared/HttpClientHelpers.cs ```csharp internal static class HttpClientHelpers { private const int DefaultMaxResponseBodyLength = 4 * 1024 * 1024; // 4MB internal static bool TryGetResponseBodyAsString(HttpResponseMessage response, out string? responseBody) { responseBody = null; if (response.Content == null) { return false; } try { // Limit response body size to prevent memory overflow var contentLength = response.Content.Headers.ContentLength; if (contentLength.HasValue && contentLength.Value > DefaultMaxResponseBodyLength) { return false; } responseBody = response.Content.ReadAsStringAsync().Result; return true; } catch { return false; } } } ``` ### src/OpenTelemetry.Exporter.OneCollector/Internal/Transports/HttpJsonPostTransport.cs ```csharp // Before modification var responseBody = await response.Content.ReadAsStringAsync(); // After modification if (!HttpClientHelpers.TryGetResponseBodyAsString(response, out var responseBody)) { // Handle cases where the response body is too large or reading fails if (this.logger.IsEnabled(LogLevel.Information)) { this.logger.LogInformation("Response body too large or failed to read."); } return; } ``` ## Test Coverage - Added unit tests to verify truncation behavior - Verified character set and stream handling - Tested boundary conditions for the 4MB limit