[draft] Add vpatch-CVE-2025-30220 rule and test

[crowdsec-automation]

This rule detects exploitation attempts of the GeoServer WFS XXE vulnerability (CVE-2025-30220). The attack is performed by sending a POST request to the /geoserver/wfs endpoint with an XML body containing an xsi:schemaLocation attribute, which is a common vector for XXE attacks.

• The first rule block matches requests to the /geoserver/wfs endpoint, using a case-insensitive match (lowercase transform).
• The second rule block inspects the raw body of the request for the presence of xsi:schemalocation=, which is indicative of an attempt to inject an external entity reference via XML schema location.
• The use of RAW_BODY is appropriate because the payload is XML and not form-encoded, and the attack pattern is not tied to a specific argument but to the XML structure.
• The transforms ensure case-insensitive matching.
• The labels section includes the correct CVE, ATT&CK, and CWE references.

Validation checklist:

• All value: fields are lowercase.
• All relevant transforms include lowercase.
• No match.value contains capital letters.
• The rule uses contains instead of regex where applicable.

Exploit URL: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-30220.yaml

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2025-30220 🔴

[github-actions]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

[buixor]

need RAW_BODY support