🔒 SQL Injection Vulnerability Identified in RailsGoat Demo Repository

A critical SQL injection vulnerability has been identified in the `arubis/railsgoat-vulnerability-demo` repository on GitHub. The vulnerability is classified as CWE-89 (SQL Injection) and maps to OWASP A03:2021 (Injection). The security scanner RSOLV reported the issue with 80% confidence. The specific vulnerability is located in the file `app/controllers/users_controller.rb` at line 29. The vulnerable code uses direct string interpolation to construct an SQL query: `user = User.where("id = '#{params[:user][:id]}'")[0]`. This pattern allows user-controlled input from `params[:user][:id]` to be directly concatenated into the SQL command without sanitization or parameterization, enabling potential attackers to execute arbitrary SQL commands. The recommendation is to replace the string concatenation with parameterized queries or prepared statements to properly separate data from commands. The finding was automatically generated by the RSOLV security scanner on March 4, 2026, against the main branch. The repository appears to be a demonstration project for vulnerabilities (RailsGoat).