cap RPC response size to prevent OOM from compromised Zebra backend

node.rs rpc_call() now reads bytes with 10MB cap before json parsing.
Prior version called resp.json() with no size limit on untrusted RPC data.

Found by self-hunt via BountyBlitz engine.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Zk-nd3r

src/node.rs

@@ -62,7 +62,12 @@ impl ZebraRpcBackend {
             .await
             .context("RPC request failed")?;
 
-        let json: serde_json::Value = resp.json().await.context("RPC response parse failed")?;
+        // Size-capped RPC response: prevents OOM from malicious/compromised Zebra backend
+        let bytes = resp.bytes().await.context("RPC response read failed")?;
+        if bytes.len() > 10 * 1024 * 1024 {
+            anyhow::bail!("RPC response too large: {} bytes", bytes.len());
+        }
+        let json: serde_json::Value = serde_json::from_slice(&bytes).context("RPC response parse failed")?;
 
         if let Some(error) = json.get("error") {
             if !error.is_null() {