feat: add multipart/form-data XXE detection support

[cedricbu]

Port logic from PR #2864 to detect XXE vulnerabilities when XML content is uploaded as part of a multipart/form-data request. Uses VariantMultipartFormParameters to parse and inject payloads into multipart bodies while preserving other form parts.

Includes import reorder and state reset fix for scanner reuse.

Overview

The original PR #2864 was apparently in a working state, but abandoned (and no longer relevant since aimed at ascan-beta, while XXE was moved to ascan). This PR steals the idea, adapting the code for the latest ascan code.
I tested it against juice-shop, and it worked:
step 1: upload a random XML file in the "complaints" form
step 2: attack the file-upload() POST endpoint, and make sure that XXE policy is enabled

Related Issues

zaproxy/zaproxy#8817
zaproxy/zaproxy#1190

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[psiinon]

Checkmarx One – Scan Summary & Details – 5b33a36d-553f-4426-9958-7cf9931048af

Great job! No new security vulnerabilities introduced in this pull request

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[thc202]

but abandoned (and no longer relevant since aimed at ascan-beta, while XXE was moved to ascan).

Neither is true.

[cedricbu]

I have read the CLA Document and I hereby sign the CLA

[kingthorin]

I believe this should override scan(NameValuePair), checking the type of the name value pair, so that users' input variant selection is respected.

[cedricbu]

but abandoned (and no longer relevant since aimed at ascan-beta, while XXE was moved to ascan).

Neither is true.

Thanks for the clarification

[cedricbu]

I believe this should override scan(NameValuePair), checking the type of the name value pair, so that users' input variant selection is respected.

Thanks! I adapted the code based on your suggestion. I hope I got it right this time