Harden username URL handling and worker pool sizing in Sherlock core

[Chintanpatel24]

This PR improves security and runtime robustness in the main Sherlock scanning engine.

Changes :

• Added a dedicated username URL-encoding step using strict percent-encoding before interpolating into target URLs.
• Replaced the previous worker count logic with a bounded-safe expression:
• minimum 1 worker
• maximum 20 workers

Why this helps :

• Security: prevents crafted usernames with reserved URL characters from altering request path/query semantics.
• Reliability: avoids invalid zero-worker initialization when site data is empty.
• Efficiency: keeps concurrency bounded while avoiding edge-case failures.

[Copilot]

Pull request overview

This PR aims to harden Sherlock’s core scanning loop by (a) percent-encoding usernames before interpolating them into target URLs and (b) clamping the worker pool size to a safe range to avoid zero-worker initialization.

Changes:

• Introduces url_safe_username() and uses it when interpolating url / urlProbe.
• Replaces worker count logic with min(20, max(1, len(site_data))).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.