🔒 RSOLV Scanner Flags High-Severity Mass Assignment Vulnerability in RailsGoat Demo

A critical security flaw has been automatically flagged in a public Ruby on Rails demonstration repository. The RSOLV security scanner identified a HIGH-severity Mass Assignment vulnerability within the `app/controllers/users_controller.rb` file. This specific weakness, classified under CWE-915 and OWASP's A01:2021 for Broken Access Control, presents a direct path for attackers to potentially compromise the application's security by manipulating unprotected user parameters.

The vulnerability is pinpointed to line 50 of the controller, where the code uses `params.require(:user).permit!`. This `permit!` method is a dangerous shortcut that allows all parameters to be assigned to the model, bypassing the intended security filter. This pattern is a classic Rails security anti-pattern, explicitly warned against in the framework's own guides, as it can enable an attacker to overwrite sensitive model attributes they should not have access to.

The finding, reported with 80% confidence, is part of the `railsgoat-vulnerability-demo` repository, a project designed to showcase common web application security flaws for educational purposes. While this instance is within a demo, the scanner's report serves as a stark, real-world example of the persistent risk this coding pattern poses in production environments. It underscores the necessity for rigorous code reviews and adherence to security best practices, such as using strong parameters with explicit permit lists, to prevent unauthorized data manipulation.