requestly · dinex-dev · Jun 26, 2026 · Jun 23, 2026 · Jun 24, 2026 · Jun 24, 2026
@@ -25,16 +25,9 @@ const modify_request = (ctx, new_req) => {
         ctx.rq_request_body = new_req;
 };
 const modify_request_using_code = async (action, ctx) => {
-    let userFunction = null;
-    try {
-        userFunction = (0, utils_2.getFunctionFromString)(action.request);
-    }
-    catch (error) {
-        // User has provided an invalid function
-        return modify_request(ctx, "Can't parse Requestly function. Please recheck. Error Code 7201. Actual Error: " +
-            error.message);
-    }
-    if (!userFunction || typeof userFunction !== "function") {
+    // RQ-2426: validate the function source parses (compile-only, no execution)
+    // before running it in the sandboxed worker.
+    if (!(await (0, utils_2.isValidFunctionString)(action.request))) {
         // User has provided an invalid function
         return modify_request(ctx, "Can't parse Requestly function. Please recheck. Error Code 944.");
     }
@@ -58,16 +51,21 @@ const modify_request_using_code = async (action, ctx) => {
         catch (_a) {
             /*Do nothing -- could not parse body as JSON */
         }
-        finalRequest = await (0, utils_2.executeUserFunction)(ctx, userFunction, args);
+        finalRequest = await (0, utils_2.executeUserFunction)(ctx, action.request, args);
         if (finalRequest && typeof finalRequest === "string") {
             return modify_request(ctx, finalRequest);
         }
         else
             throw new Error("Returned value is not a string");
     }
     catch (error) {
-        // Function parsed but failed to execute
-        return modify_request(ctx, "Can't execute Requestly function. Please recheck. Error Code 187. Actual Error: " +
+        // Function parsed but failed to execute. Code 188 = sandbox-internal (our shim
+        // broke); 187 = the rule author's code. error.message now carries the real
+        // sandbox error (previously swallowed).
+        const code = error && error.kind === "prelude" ? 188 : 187;
+        return modify_request(ctx, "Can't execute Requestly function. Please recheck. Error Code " +
+            code +
+            ". Actual Error: " +
             error.message);
     }
 };

@@ -103,16 +103,9 @@ const modify_response_using_local = (action, ctx) => {
 };
 const modify_response_using_code = async (action, ctx) => {
     var _a, _b, _c, _d;
-    let userFunction = null;
-    try {
-        userFunction = (0, utils_2.getFunctionFromString)(action.response);
-    }
-    catch (error) {
-        // User has provided an invalid function
-        return modify_response(ctx, "Can't parse Requestly function. Please recheck. Error Code 7201. Actual Error: " +
-            error.message);
-    }
-    if (!userFunction || typeof userFunction !== "function") {
+    // RQ-2426: validate the function source parses (compile-only, no execution)
+    // before running it in the sandboxed worker.
+    if (!(await (0, utils_2.isValidFunctionString)(action.response))) {
         // User has provided an invalid function
         return modify_response(ctx, "Can't parse Requestly function. Please recheck. Error Code 944.");
     }
@@ -146,8 +139,13 @@ const modify_response_using_code = async (action, ctx) => {
             throw new Error("Returned value is not a string");
     }
     catch (error) {
-        // Function parsed but failed to execute
-        return modify_response(ctx, "Can't execute Requestly function. Please recheck. Error Code 187. Actual Error: " +
+        // Function parsed but failed to execute. Code 188 = sandbox-internal (our shim
+        // broke); 187 = the rule author's code. error.message now carries the real
+        // sandbox error (previously swallowed).
+        const code = error && error.kind === "prelude" ? 188 : 187;
+        return modify_response(ctx, "Can't execute Requestly function. Please recheck. Error Code " +
+            code +
+            ". Actual Error: " +
             error.message);
     }
 };

@@ -1,2 +1,18 @@
-export declare const getFunctionFromString: (functionStringEscaped: any) => any;
+/**
+ * Where a sandbox failure originated, so callers + telemetry can tell OUR
+ * shim/infra bugs (`prelude`) from the rule author's (`user`) and timeouts apart.
+ */
+export type SandboxErrorKind = "prelude" | "user" | "timeout";
+export declare class SandboxError extends Error {
+    kind: SandboxErrorKind;
+    constructor(message: string, kind: SandboxErrorKind);
+}
+/**
+ * Verify a rule's code string parses WITHOUT executing it. Constructing
+ * `new Function(body)` compiles/parses the body but never runs it (the function
+ * is never called), so even an IIFE-shaped string cannot execute here. Avoids the
+ * `vm` module (unsupported in Electron's renderer); the sandboxed execution
+ * happens inside QuickJS.
+ */
+export declare const isValidFunctionString: (functionStringEscaped: string) => Promise<boolean>;
 export declare function executeUserFunction(ctx: any, functionString: string, args: any): Promise<any>;