open-telemetry · XSAM · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
@@ -42,6 +42,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - `go.opentelemetry.io/otel/sdk/log` now unwraps error chains created with `fmt.Errorf` when deriving the `error.type` attribute from errors on log records. (#8133)
 - `Set.MarshalLog` method in `go.opentelemetry.io/otel/attribute` now uses `Value.String` formatting following the [OpenTelemetry AnyValue representation for non-OTLP protocols](https://opentelemetry.io/docs/specs/otel/common/#anyvalue). (#8169)
 - Optimize `go.opentelemetry.io/otel/sdk/metric` to return a drop reservoir when `exemplar.AlwaysOffFilter` is configured. (#8211)
+- ⚠️ **Breaking Change:** Enforce the 8192-byte baggage size limit during extraction/parsing, changing behavior when the limit is exceeded in `go.opentelemetry.io/otel/baggage` and `go.opentelemetry.io/otel/propagation`. (#8222)
 
 ### Deprecated
 

@@ -16,6 +16,7 @@ import (
 const (
 	maxMembers               = 64
 	maxBytesPerBaggageString = 8192
+	maxParseErrors           = 5
 
 	listDelimiter     = ","
 	keyValueDelimiter = "="
@@ -493,9 +494,10 @@ func New(members ...Member) (Baggage, error) {
 // from the W3C Baggage specification which allows duplicate list-members, but
 // conforms to the OpenTelemetry Baggage specification.
 //
-// If the baggage-string exceeds the maximum allowed members (64) or bytes
-// (8192), members are dropped until the limits are satisfied and an error is
-// returned along with the partial result.
+// If the baggage-string exceeds the maximum allowed bytes (8192), an empty
+// Baggage and an error are returned. If the baggage-string exceeds the maximum
+// allowed members (64), members are dropped until the limit is satisfied and
+// an error is returned along with the partial result.
 //
 // Invalid members are skipped and the error is returned along with the
 // partial result containing the valid members.
@@ -504,9 +506,14 @@ func Parse(bStr string) (Baggage, error) {
 		return Baggage{}, nil
 	}
 
+	if n := len(bStr); n > maxBytesPerBaggageString {
+		return Baggage{}, fmt.Errorf("%w: %d", errBaggageBytes, n)
+	}
+
 	b := make(baggage.List)
 	sizes := make(map[string]int) // Track per-key byte sizes
 	var totalBytes int
+	var parseErrors int
 	var truncateErr error
 	for memberStr := range strings.SplitSeq(bStr, listDelimiter) {
 		// Check member count limit.
@@ -517,7 +524,10 @@ func Parse(bStr string) (Baggage, error) {
 
 		m, err := parseMember(memberStr)
 		if err != nil {
-			truncateErr = errors.Join(truncateErr, err)
+			parseErrors++
+			if parseErrors <= maxParseErrors {
+				truncateErr = errors.Join(truncateErr, err)
+			}
 			continue // skip invalid member, keep processing
 		}
 
@@ -553,6 +563,10 @@ func Parse(bStr string) (Baggage, error) {
 		totalBytes = newTotalBytes
 	}
 
+	if dropped := parseErrors - maxParseErrors; dropped > 0 {
+		truncateErr = errors.Join(truncateErr, fmt.Errorf("and %d more invalid member(s)", dropped))
+	}
+
 	if len(b) == 0 {
 		return Baggage{}, truncateErr
 	}

@@ -528,8 +528,7 @@ func TestBaggageParse(t *testing.T) {
 		{
 			name: "invalid baggage string: too large",
 			in:   tooLarge,
-			// tooLarge is a single key without "=", so parseMember fails
-			err: errInvalidMember,
+			err:  errBaggageBytes,
 		},
 		{
 			name: "baggage string with too many members keeps first 64",
@@ -544,31 +543,26 @@ func TestBaggageParse(t *testing.T) {
 			err: errMemberNumber,
 		},
 		{
-			name: "baggage string exceeds byte limit returns partial result",
+			name: "baggage string at max size is accepted",
 			in: func() string {
-				// Create members that collectively exceed maxBytesPerBaggageString.
-				// Each member: "kN=" + value. We use values large enough that
-				// a few members fit but the total exceeds 8192 bytes.
+				// Create a baggage string of exactly maxBytesPerBaggageString.
+				// 3 members: "k0=" + 2727v + "," + "k1=" + 2727v + "," + "k2=" + 2727v
+				// = 3*(3+2727) + 2 = 8192
+				val := strings.Repeat("v", 2727)
 				var parts []string
-				val := strings.Repeat("v", 2000)
-				for i := range 10 {
+				for i := range 3 {
 					parts = append(parts, fmt.Sprintf("k%d=%s", i, val))
 				}
 				return strings.Join(parts, ",")
 			}(),
 			want: func() baggage.List {
-				// Only members that fit within 8192 bytes should be kept.
-				// Each member is ~2003 bytes ("kN=" + 2000 "v"s), plus comma.
-				// 4 members = 4*2003 + 3 commas = 8015 bytes (fits).
-				// 5 members = 5*2003 + 4 commas = 10019 bytes (exceeds).
 				b := make(baggage.List)
-				val := strings.Repeat("v", 2000)
-				for i := range 4 {
+				val := strings.Repeat("v", 2727)
+				for i := range 3 {
 					b[fmt.Sprintf("k%d", i)] = baggage.Item{Value: val}
 				}
 				return b
 			}(),
-			err: errBaggageBytes,
 		},
 		{
 			name: "percent-encoded octet sequences do not match the UTF-8 encoding scheme",
@@ -1272,3 +1266,57 @@ func BenchmarkMemberString(b *testing.B) {
 		_ = member.String()
 	}
 }
+
+func BenchmarkParseOversized(b *testing.B) {
+	// 1MB oversized baggage string.
+	oversized := strings.Repeat("k=v,", 250000)
+
+	b.ReportAllocs()
+
+	for b.Loop() {
+		benchBaggage, _ = Parse(oversized)
+	}
+}
+
+func TestParseErrorCap(t *testing.T) {
+	// Build a baggage string with many invalid members (no '=' delimiter).
+	// All within the 8192 byte limit.
+	var parts []string
+	for i := range 20 {
+		parts = append(parts, fmt.Sprintf("bad%d", i))
+	}
+	// Add one valid member so the baggage is not empty.
+	parts = append(parts, "good=val")
+	bStr := strings.Join(parts, ",")
+
+	b, err := Parse(bStr)
+	assert.ErrorIs(t, err, errInvalidMember)
+	assert.Equal(t, 1, b.Len(), "should return the valid member")
+
+	// Count the number of joined errors.
+	errs := err.Error()
+	invalidCount := strings.Count(errs, "invalid baggage list-member")
+	assert.Equal(t, maxParseErrors, invalidCount,
+		"should cap individual parse errors at maxParseErrors")
+	assert.Contains(t, errs, "and 15 more invalid member(s)")
+}
+
+func TestParseErrorCapAllInvalid(t *testing.T) {
+	// All members invalid, no valid members. Exercises the len(b)==0
+	// return path with a capped error message.
+	var parts []string
+	for i := range 20 {
+		parts = append(parts, fmt.Sprintf("bad%d", i))
+	}
+	bStr := strings.Join(parts, ",")
+
+	b, err := Parse(bStr)
+	assert.ErrorIs(t, err, errInvalidMember)
+	assert.Equal(t, 0, b.Len(), "should return empty baggage")
+
+	errs := err.Error()
+	invalidCount := strings.Count(errs, "invalid baggage list-member")
+	assert.Equal(t, maxParseErrors, invalidCount,
+		"should cap individual parse errors at maxParseErrors")
+	assert.Contains(t, errs, "and 15 more invalid member(s)")
+}
@@ -5,6 +5,8 @@ package propagation // import "go.opentelemetry.io/otel/propagation"
 
 import (
 	"context"
+	"errors"
+	"fmt"
 
 	"go.opentelemetry.io/otel/baggage"
 	"go.opentelemetry.io/otel/internal/errorhandler"
@@ -15,7 +17,9 @@ const (
 
 	// W3C Baggage specification limits.
 	// https://www.w3.org/TR/baggage/#limits
-	maxMembers = 64
+	maxMembers               = 64
+	maxBytesPerBaggageString = 8192
+	maxParseErrors           = 5
 )
 
 // Baggage is a propagator that supports the W3C Baggage format.
@@ -72,10 +76,36 @@ func extractMultiBaggage(parent context.Context, carrier ValuesGetter) context.C
 	}
 
 	var members []baggage.Member
+	var totalBytes int
+	var parseErrors int
+	var truncateErr error
 	for _, bStr := range bVals {
+		totalBytes += len(bStr)
+		if totalBytes > maxBytesPerBaggageString {
+			parseErrors++
+			if parseErrors <= maxParseErrors {
+				truncateErr = errors.Join(
+					truncateErr,
+					fmt.Errorf(
+						"baggage: aggregate header size %d exceeds %d byte limit",
+						totalBytes,
+						maxBytesPerBaggageString,
+					),
+				)
+			}
+			break
+		}
+
 		currBag, err := baggage.Parse(bStr)
 		if err != nil {
-			errorhandler.GetErrorHandler().Handle(err)
+			if uw, ok := err.(interface{ Unwrap() []error }); ok {
+				parseErrors += len(uw.Unwrap())
+			} else {
+				parseErrors++
+			}
+			if parseErrors <= maxParseErrors {
+				truncateErr = errors.Join(truncateErr, err)
+			}
 		}
 		if currBag.Len() == 0 {
 			continue
@@ -86,10 +116,18 @@ func extractMultiBaggage(parent context.Context, carrier ValuesGetter) context.C
 		}
 	}
 
+	if dropped := parseErrors - maxParseErrors; dropped > 0 {
+		truncateErr = errors.Join(truncateErr, fmt.Errorf("and %d more error(s)", dropped))
+	}
+
 	b, err := baggage.New(members...)
 	if err != nil {
-		errorhandler.GetErrorHandler().Handle(err)
+		truncateErr = errors.Join(truncateErr, err)
 	}
+	if truncateErr != nil {
+		errorhandler.GetErrorHandler().Handle(truncateErr)
+	}
+
 	if b.Len() == 0 {
 		return parent
 	}

@@ -12,10 +12,13 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 
+	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/baggage"
 	"go.opentelemetry.io/otel/propagation"
 )
 
+const maxBytesPerBaggageString = 8192
+
 type property struct {
 	Key, Value string
 }
@@ -164,7 +167,6 @@ func generateMembers(n int, prefix string) members {
 func TestExtractValidMultipleBaggageHeaders(t *testing.T) {
 	// W3C Baggage spec limits: https://www.w3.org/TR/baggage/#limits
 	const maxMembers = 64
-	const maxBytesPerBaggageString = 8192
 
 	prop := propagation.TextMapPropagator(propagation.Baggage{})
 	tests := []struct {
@@ -297,7 +299,7 @@ func TestExtractValidMultipleBaggageHeaders(t *testing.T) {
 			wantMaxBytes: maxBytesPerBaggageString,
 		},
 		{
-			name: "skips large member that exceeds byte limit and continues",
+			name: "stops processing when aggregate byte budget exceeded",
 			headers: []string{
 				"small1=v1,small2=v2",
 				"large=" + strings.Repeat("x", maxBytesPerBaggageString),
@@ -306,7 +308,6 @@ func TestExtractValidMultipleBaggageHeaders(t *testing.T) {
 			want: members{
 				{Key: "small1", Value: "v1"},
 				{Key: "small2", Value: "v2"},
-				{Key: "small3", Value: "v3"},
 			},
 		},
 	}
@@ -498,3 +499,91 @@ func TestBaggagePropagatorGetAllKeys(t *testing.T) {
 		t.Errorf("GetAllKeys: -got +want %s", diff)
 	}
 }
+
+func TestExtractOversizedSingleBaggageHeader(t *testing.T) {
+	prop := propagation.Baggage{}
+	req, _ := http.NewRequestWithContext(t.Context(), http.MethodGet, "http://example.com", http.NoBody)
+	// Set a single baggage header exceeding 8192 bytes.
+	req.Header.Set("baggage", "key="+strings.Repeat("v", maxBytesPerBaggageString))
+
+	ctx := prop.Extract(t.Context(), propagation.HeaderCarrier(req.Header))
+	got := baggage.FromContext(ctx)
+	assert.Equal(t, 0, got.Len(), "oversized header should result in empty baggage")
+}
+
+type errHandler struct {
+	err error
+}
+
+func (e *errHandler) Handle(err error) { e.err = err }
+
+func TestExtractManyBaggageHeader(t *testing.T) {
+	tests := []struct {
+		name       string
+		headers    func() []string
+		want       func() members
+		wantErrStr []string
+	}{
+		{
+			name: "aggregate byte budget exceeded",
+			headers: func() []string {
+				// 100 headers, each ~195 bytes. Total: ~19.5KB, well over 8192.
+				h := make([]string, 100)
+				for i := range 100 {
+					h[i] = fmt.Sprintf("k%d=%s", i, strings.Repeat("v", 190))
+				}
+				return h
+			},
+			want: func() members {
+				m := make(members, 42)
+				for i := range 42 {
+					m[i] = member{Key: fmt.Sprintf("k%d", i), Value: strings.Repeat("v", 190)}
+				}
+				return m
+			},
+			wantErrStr: []string{"aggregate header size 8332 exceeds 8192 byte limit"},
+		},
+		{
+			name: "too many invalid headers triggers error cap",
+			headers: func() []string {
+				// 10 invalid headers (no '=' delimiter) followed by 1 valid.
+				// Each invalid header produces 1 parse error from baggage.Parse.
+				// maxParseErrors=5, so 5 errors are kept and 5 are summarized.
+				h := make([]string, 11)
+				for i := range 10 {
+					h[i] = fmt.Sprintf("bad%d", i)
+				}
+				h[10] = "good=val"
+				return h
+			},
+			want: func() members {
+				return members{{Key: "good", Value: "val"}}
+			},
+			wantErrStr: []string{"invalid baggage list-member", "and 5 more error(s)"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			originalErrorHandler := otel.GetErrorHandler()
+			eh := &errHandler{}
+			otel.SetErrorHandler(eh)
+			t.Cleanup(func() { otel.SetErrorHandler(originalErrorHandler) })
+
+			prop := propagation.Baggage{}
+			req, _ := http.NewRequestWithContext(t.Context(), http.MethodGet, "http://example.com", http.NoBody)
+			for _, h := range tt.headers() {
+				req.Header.Add("baggage", h)
+			}
+
+			ctx := prop.Extract(t.Context(), propagation.HeaderCarrier(req.Header))
+			got := baggage.FromContext(ctx)
+
+			assert.Equal(t, tt.want().Baggage(t), got)
+			assert.Error(t, eh.err)
+			for _, s := range tt.wantErrStr {
+				assert.Contains(t, eh.err.Error(), s)
+			}
+		})
+	}
+}