Rehan Iftikhar rehanift

Use a child process to run the code. This process can be a node process that is running another VM inside of it for user code to be run in (it both the process and separated VM).
Chroot the child process / Jail it / Run as Nobody:Nobody / run it in a new session / run it with empty environmental variables / remove ALL globals from node by setting them to undefined (not null) / everything reasonable to lock down the environment.
Use a serialization channel when talking to user code, never ever directly share objects.
Never reuse a child process.
ANY variable given to a child process for interaction with a parent should be through a strict mode function that can talk to code outside of our VM, never give direct references to objects from the privileged vm. This function should be generated inside of the user code context prior to executing any user code and should not use eval(). All references to objects including functions from th

	var zmq = require("zmq");
	var node_uuid = require('node-uuid');

	var arrayUnique = function(a) {
	return a.reduce(function(p, c) {
	if (p.indexOf(c) < 0) p.push(c);
	return p;
	}, []);
	};

	var util = require("util");
	var events = require("events");

	var AsyncServer = function(){
	this.request_count = 0;
	};
	util.inherits(AsyncServer, events.EventEmitter);

	AsyncServer.make = function(){
	var server = new AsyncServer();

	var getFriendsInApp = function (callback) {
	FB.login(function (response) { // Force FB client to re-authorize
	var friends = "SELECT uid, name, pic_square FROM user WHERE uid = me() OR uid IN (SELECT uid2 FROM friend WHERE uid1 = me())",
	friends_in_app = "SELECT uid, name, pic_square FROM user WHERE is_app_user AND uid IN (SELECT uid2 FROM friend WHERE uid1 = me())"
	FB.api({
	method: 'fql.query',
	query: friends_in_app
	}, callback);
	});
	};

	var vm = function(){
	//avoid contextify's js wrapper
	var contextifyPath = require('path').resolve(require.resolve('contextify'), '..', '..');
	var contextify = require('bindings')({
	module_root: contextifyPath,
	bindings: 'contextify.node'
	});
	// basic WeakMap shim if not available
	var WM = typeof WeakMap !== 'undefined' ? WeakMap : function WeakMap(){
	var keys = [], values = [];

	var events = require("events"),
	util = require("util");

	var UserAuthenticator = function(user_finder){
	this.user_finder = user_finder;
	};
	util.inherits(UserAuthenticator, events.EventEmitter);

	UserAuthenticator.make = function(dependencies){
	var authenticator = new UserAuthenticator(dependencies.user_finder);

	{% contest name:"stories-example" %}

	{% partial name:"entry-form" %}

	{% contest_form %}
	<div>
	<label>
	Name:
	<input type="text" name="registration[name]"/>
	</label>

	class AcmeServiceClient
	def initialize(http_client, acme_response_translator)
	self.http_client = http_client
	self.acme_response_translator = acme_response_translator
	end

	def self.make(dependencies)
	instance = self.new(dependencies["http_client"], dependencies["acme_response_translator"])
	return instance
	end

	var vm = require("vm"),
	util = require("util"),
	events = require("events");

	var fooClass = function(){};
	util.inherits(fooClass, events.EventEmitter);

	fooClass.prototype.run = function(){
	this.emit('myevent', "Hello!");
	};