Railsgoat Demo Exposes High-Severity Mass Assignment Flaw in Users Controller

A critical security flaw has been flagged in the `arubis/railsgoat-vulnerability-demo` repository, exposing a high-severity mass assignment vulnerability. The issue, automatically detected by the RSOLV security scanner, centers on line 50 of the `app/controllers/users_controller.rb` file. The controller uses `params.require(:user).permit!`, a dangerous pattern that allows attackers to potentially assign arbitrary and unauthorized attributes to user models by manipulating request parameters.

This vulnerability is formally classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) and maps directly to the OWASP Top 10's A01:2021 category for Broken Access Control. The scanner assigned an 80% confidence level to the finding, indicating a high probability of a genuine and exploitable security weakness. The repository, `railsgoat`, is a deliberately vulnerable application for educational purposes, making this finding a textbook example of a common Rails security anti-pattern that developers must avoid in production code.

The presence of this flaw in a public demo repository serves as a stark, real-world reminder of the risks associated with improper parameter sanitization. While the immediate impact is contained within a training environment, the pattern represents a significant liability if replicated in live applications. The scanner's recommendation is to review and fix the vulnerability according to security best practices, which would involve replacing the `permit!` method with an explicit whitelist of allowed parameters using `permit(:attr1, :attr2)`.