Reject unknown fields in TxDecoder and sign mode handlers

[aaronc]

This should wrap up or almost wrap up the critical path of #6213.

• integrates unknown field rejection into the protobuf TxDecoder, rejecting:
  • any unknown fields in TxRaw
  • non-critical unknown fields in TxBody
  • any unknown fields in AuthInfo
• fixes Address SIGN_MODE_LEGACY_AMINO_JSON security issues #6863 by:
  • separating the StdTx and proto Tx amino JSON sign mode handling
  • rejecting non-critical unknown fields in the proto TxBody
  • rejecting proto extensions and non_critical_extensions fields
  • rejecting timeout_height which isn't supported in StdTx
• adds a boolean return parameter to RejectUnknownFields to track if non-critical fields are present in a message
• fixes critical bugs related to field decoding in RejectUnknownFields (cc @odeke-em)

---

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

• Targeted PR against correct branch (see CONTRIBUTING.md)
• Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• Code follows the module structure standards.
• Wrote unit and integration tests
• Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• Added relevant godoc comments.
• Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer
• Review Codecov Report in the comment section below once CI passes

[codecov]

Codecov Report

Merging #6883 into master will increase coverage by 3.46%.
The diff coverage is 82.66%.

@@            Coverage Diff             @@
##           master    #6883      +/-   ##
==========================================
+ Coverage   61.57%   65.04%   +3.46%     
==========================================
  Files         518      389     -129     
  Lines       31996    24253    -7743     
==========================================
- Hits        19703    15775    -3928     
+ Misses      10716     7271    -3445     
+ Partials     1577     1207     -370     

[odeke-em]

Thank you for this change @aaronc and for wiring things up! I have left some questions and suggestions, but also I still don't get why the boolean, when the error could be checked.

[aaronc]

Thank you for this change @aaronc and for wiring things up! I have left some questions and suggestions, but also I still don't get why the boolean, when the error could be checked.

There is a case where we want to know if there are non-critical fields without returning an error.

[odeke-em]

There is a case where we want to know if there are non-critical fields without returning an error.

Oh okay, so an explicit customization, gotcha! Thanks for answering my question.

[odeke-em]

To ensure that you aren't blocked @aaronc when you get back this, from the protoc-side LGTM with just the change to avoid the allocation and revert to (*types.Any)(nil). Thank you and great to see this all come alive!

[anilcse]

lgtm

[aaronc]

@alexanderbez note that TimeoutHeight is being now rejected by SIGN_MODE_LEGACY_AMINO_JSON (because otherwise it's a malleability issue) so if you are adding it to StdTx in #6089, you'll need to remove these lines.

[alexanderbez]

Thanks for pointing that out!