Secret Detection fix for "Password in URL" false positive

Summary

The regex for the current "Password in URL" rule is overly permissive and results in false positives.

Steps to reproduce

Run secret detection against the following line, comparing two string literal URLs in C#:

Assert.IsTrue(NormalizeUrl(@"HTTP://LOCALHOST:8080") == @"http://localhost");

What is the current bug behavior?

Secret detection identifies a "Password in URL" vulnerability for the given code.

What is the expected correct behavior?

This code should not be identified as a vulnerability.

Output of checks

This bug happens on GitLab.com

Possible fixes

The fix is to change the regex to replace \n with \s. Whitespace is not allowed in a URL, and includes the newline.

- `regex = '''[a-zA-Z]{3,10}:\/\/[^$][^:@\/\n]{3,20}:[^$][^:@\n\/]{3,40}@.{1,100}'''`
+ `regex = '''[a-zA-Z]{3,10}:\/\/[^$][^:@\/\s]{3,20}:[^$][^:@\s\/]{3,40}@.{1,100}'''`