REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis

Steps to reproduce:

Request xwiki/rest/wikis/xwiki/spaces on a wiki with a million (non-terminal) pages a few times (potentially 50 times, but much less might be enough).

Expected result:

The wiki is still available and processing other requests.

Actual result:

The wiki goes down with an out of memory error after allocating more than 10GB of memory. This attack can be repeated very easily after the wiki comes back up.

This is because we don't enforce any limits regarding the number of results this or other REST APIs can return, and by default, there is not even a limit at least on some REST APIs.

We observed actual exploitation of this issue, though it's not clear if the exploitation was intentionally trying to bring down the instance or just exploring the REST API. However, based on this experience, we should consider this issue to be either actively exploited or at least very likely to be exploited.