[config/confighttp] High cardinality request method from internal telemetry traces #14516
Description
Component(s)
config/confighttp
What happened?
Describe the bug
As otelhttp uses r.Method + " " + r.Pattern as span name of http server span (code), while r.Pattern is usually guarded against high cardinality thanks to mux, r.Method is open to high cardinality since it uses the request method directly from the request, which may come from bad actors. It is possible to spam the telemetry backend with garbage r.Method like FOOBAR.
Should confighttp or otlp receiver use safe defaults to guard against this kind of high cardinality or is it out of scope of the components?
One possible solution - after calling the innermost handler, mutate to sanitize r.Method but it'll require request field propagation as suggested in #14508 as well as the removal of r.Pattern != "" check in code to always reset the span name.
Steps to reproduce
What did you expect to see?
span dropped or span name sanitized to avoid high cardinality
What did you see instead?
span name FOOBAR /b/{bucket}/o/{objectname...}
Collector version
v0.144.0
Environment information
Environment
OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")
OpenTelemetry Collector configuration
Log output
Additional context
Slightly related to #14508
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.