Some markdown triggers a server 418 error

I have a UI that’s posting to Cockpit from a PWA via CORS.

My application is using Cockpit as a sync target for application data. Which isn’t exactly what it was designed for, I know. But it’s worked well in other personal projects (I have a couple PWA’s that are using cockpit as a generic document-based storage api, working nicely too.) This application is a writing tool that stores content as Markdown.

I’ve noticed when I try to save markdown with certain content, the API fails and returns a 418 (I’m a teapot) HTTP status code. Here’s an the smallest, repeatable markdown content example I could get down to:


| name | type |
|----|----|
| something | Date |

The collection schema looks like this:

field type
id Text
type Text
updatedAt Date
deletedAt Date
data Object (this is the app data object)

It’s basically encapsulating the app data in backend specific info (for last sync time and tombstoning timestamp, etc).

The POSTed JSON looks like this:

{"data":{"_id":null,"id":"kkyzg9my","type":"document","data":"{\"id\":\"kkyzg9my\",\"name\":\"\",\"body\":\"| name | type |\\n|----|----|\\n| something | Date |\\n\\n\",\"topicId\":\"kkt6lx8w\",\"snapshots\":[],\"created\":1612934324170,\"updated\":1612993231741,\"deleted\":0,\"type\":\"document\",\"_id\":null}","updatedAt":1612993231741,"deletedAt":0}}

I’ve tried sending the encapsulated JSON as an object and as a string. Both fail with the 418.

Any thoughts on how to fix this, or what might be causing it?


Also, I’m using cockpit version 0.10.2

I have noticed if I the change the word “Date” in the markdown to, say, “misc”, it saves fine and returns the expected 200. It’s all very odd.

Well, I don’t know what’s causing the issue, but after some experiments I’ve been able to work around the issue by submitting the data as application/x-www-form-urlencoded instead of JSON.

Also, I take the payload and encode it as a string using: encodeURI(JSON.stringify(data)) (decode, obviously, is the inverse: JSON.parse(decodeURI(dataSource))).

I have to do both of those things or the 418 is returned from the server.

:man_shrugging:

@mattmccray Do you use MongoDB or SQLite?

I want to try to reproduce that issue, because it’s very odd and might be a security issue… My guess is, that -- is somehow treated as a sql comment, which causes the pipe character | to execute Date() inside an eval() statement or something in this direction…

I fixed some missing quotes in the MongoLite drive a while ago. This should be availabe since 0.11.1. Eventually, your issue is fixed already.