jsonrpc: add a batch size limit for RPC requests

[cason]

Our homemade RPC implementation, jsonrpc, allows users to invoke multiple RCP methods using a single request, using batching. While this is not a problem, it may constitute a form of attack vector.

By investigating the code, batching is implemented by this method:

cometbft/rpc/jsonrpc/server/http_json_handler.go

Line 41 in 6da2cf3

// first try to unmarshal the incoming request as an array of RPC requests

Not sure if this is the only method implementing batched requests, but this one was identified by running a test client.

We should consider adding a configuration parameter to limit the size/length of batched RPC requests submitted to Comet. To preserve backwards compatibility, the default value for this parameter can be 0, meaning no limit.

[cason]

This solution was adopted in a fork, using a hard-coded batch size limit:

https://github.com/sei-protocol/sei-tendermint/blob/5e8e9a2c60a3989e48b600cebe524c475d34bed4/rpc/jsonrpc/server/http_json_handler.go#L46-L50

[ValarDragon]

I'm very supportive of doing this w/ a config option!

[andynog]

I'll look into this and try to push a PR in the next couple of days