search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
738 stars 56 forks source link

[nuxt] [request error] [unhandled] [500] The "list" argument must be an instance of SharedArrayBuffer, ArrayBuffer or ArrayBufferView. #415

Closed W3rff closed 2 months ago

W3rff commented 2 months ago

Version

nuxt-security: v1.3.0 nuxt: v3.11.1

I am getting a nuxt 500 error since today, and its coming from the file: https://github.com/Baroshem/nuxt-security/blob/main/src/runtime/nitro/plugins/03-subresourceIntegrity.ts , on line 26 . It seems that .decoder() expects a different format than this nuxt app provides.

In my case sriHashesRaw is:

{"/_nuxt/-BXI4yCH.js":"sha384-HN1weo8oaKg+5YEmBHMxxivbsnctb2zU9EPpgsjFwxrWXCH9mTjLxA9PUrw0Dm2m","/_nuxt/1Vc9dCeZ.js":"sha384-TVhYEGmi66KVa3dC83WAZ7I+48A30tSbi9fmKmR9IC2+ZpOS76t0zLTiJOIPGl5n","/_nuxt/9XWvduAi.js":"sha384-xxI+73RBru21xkil383kEauagPBC23ZF7tDDtGbo8Qxf93hEkL3dLotrGoV4yxwN","/_nuxt/B897yyej.js":"sha384-ON55o7sh98yUo2C4JM9ZMbF13pwmR0zBRvGbyxvMKXiD1avDQNlFlJbOQOewKSWS","/_nuxt/BVnDO3JG.js":"sha384-d2c2UQf6Eehe6yVIYWJuYOm2483mdr2QF3U14kbRIocHHrEpoQZtBQaD8H459yy5","/_nuxt/CL23DlaF.js":"sha384-+RuPeUDeqnt+znbu9Dap/89OSDWdlTTb61gu5dUDjfLyilfl32jWHmHX6nKktIER","/_nuxt/CRz7gvY7.js":"sha384-mlxmiE+S7T0cncVdk40mT9SAVgL94OaMPEIY/CadHGC0JzgPEO66SLsSRM9zK1SF","/_nuxt/CYstLHxE.js":"sha384-AvvA2ISST1soW5VLi8+7SLd3vJJDxY1+Yf6BwQ6hyuAoTDyM5hWR+d/5KHTV4CkL","/_nuxt/CeeqJAOF.js":"sha384-x5Zwc3Xp4Q0omGUBsons/cKX+Pggqv/078kjDOHNJ6ucO7Hce0pSvNOodh0mdnqQ","/_nuxt/CmsComponent.sskG1ysq.css":"sha384-xz2qQuM/63cZfeaK1hYz2x/FfOnxPWk9U230BUVyQdiqX6OXqqC62Yxidpa97pM9","/_nuxt/CmsComponentItem.DYGNDXWR.css":"sha384-KzDS+OclolqTjOey6dxnlGw4dNElG1ooXETELdmpzK+GGwWgA7SE9iBIRrkPx7ma","/_nuxt/DTshVON9.js":"sha384-kiaD4rJqF+5EVNFEzl8NLyG8K5RixXTsyhgHsaODwwuvTJ4+tT/Lv2Iwjhe7dMAp","/_nuxt/DWsvIcZI.js":"sha384-q/zz9RcyJTmTpnQDzpKDR+uMXqOVIDLd42RwTFMOjTQW5NpNa4Wxb+Kj8clRyETv","/_nuxt/D_orE4Nu.js":"sha384-OkaMp5hk3tdsD4QxLFktx2MsDxdeyMzXou2l59OIQqCzuln60qCXBuMI0fjWn1GZ","/_nuxt/DdpbMvnU.js":"sha384-jumf3RN70BcexnKioJRUD3l0poSifSH3CtKgWN4P8OFtjeKT9pHj41aC1fdOZBG7","/_nuxt/DfusFNOx.js":"sha384-MMaNBDlYdCan95hka526rlBMal5iTqniJH5l+OcyW/kMCrZzEaPxmsjZWZIMxEK4","/_nuxt/DpuqAB8h.js":"sha384-DlhNg5lZoCBBnUkvRQRkR8u6k+BTmmVlwu4uId2JESoyMx8SWfchTp5ewtgklllU","/_nuxt/Window.BZGzNYSu.css":"sha384-onjqPcwF5/3SB2nstsLkX+XoOT0y/eUrJteI/eUpMKxgOPJm61qZmgYZKdBBRgD7","/_nuxt/eZOqH1Tn.js":"sha384-0wGyXmEPbj2yyQxX/He7b2NvglhJd5oc2nhn3xyAUvaPI/4tE86FNrFi/99VRdgR","/_nuxt/error-404.CZvJRRbJ.css":"sha384-jVG2+J4wlbW+eUVcIfZVtYccOoKCjuWIfSpAdPvezlzncErsAs6udYEMNmXzb64I","/_nuxt/error-500.COuFQihS.css":"sha384-RF3EfTI+IICo+dWdD36rA1Y2uwSlGPk10I7VY4OblzsWp/jnyiR4XzUIfVArMxd2","/android-chrome-192x192.png":"sha384-RAypijMQ5VLe2NtOnRKvkq2hJAbwOXYQ0jyQO7QvUnm5zbYLakVdGDwi6BtITL9l","/android-chrome-512x512.png":"sha384-hP89HPprR2jytXgaq2KhvXJW/uIjmdzrZ2OXk0Ivvj2nKpFppqv+O7i1T3MTohhL","/apple-touch-icon.png":"sha384-kdfQkgxOkOvpf/Oav1zq4kLajOXwnbq4i7YHnIncnILF3Xz85A6wu0s1YmZz3rhO","/favicon.ico":"sha384-ZPlQLINT0IqHy7mrHtX0unmDpDBr2OAqzTQudqpHRahbxeg41Otiao1ucqdcx0yY","/favicon.svg":"sha384-7C9uLNvQHxklApH1mEjJ/Sx+VgyrryoiKSCxRZtK3FTEU5tpoxF+yUwCZL8BWV1q","/site.webmanifest":"sha384-W72ElgEW+hTAVzbgF4xrs2nu1aVfiRee6v/u8nuJs50ltxMTo0x39XC06meCUHwG"}

When i change the code to sriHashes = sriHashesRaw ?? {}; the bug is gone. So it seems like the format of sriHashesRaw is already correct and the new TextDecoder().decode(sriHashesRaw) throws the error.

This only happens in a production build for me.

I would love to hear how this could be fixed!

W3rff commented 2 months ago

Ah i see this bug is also discussed in https://github.com/Baroshem/nuxt-security/issues/413 , thanks for the quick responses :)

vejja commented 2 months ago

Hi @W3rff Sorry about this, please downgrade to 1.2 while we patch with #414

Baroshem commented 2 months ago

Released patch 1.3.1 with a fix for that from @vejja.

Please check if it works now :)

W3rff commented 2 months ago

Thanks for the quick response, it works now!