Discover how the Deno permissions model enforces secure-by-default scripting by requiring explicit access grants to sensitive resources. This quiz covers key permission flags, default restrictions, and practical scenarios in using Deno for robust application security.
When running a script without any permission flags, what is Deno's default behavior regarding network access (for example, making HTTP requests)?
Explanation: Deno denies network access by default unless you explicitly provide permission using the appropriate flag. Allowing network access with a warning is not Deno's approach; warnings are not used as a permission mechanism. Full or temporary allowances go against the secure-by-default model that Deno follows. Only explicitly granted permissions activate access to network resources.
Which permission flag must be used to allow a Deno script to read files from the local filesystem, such as reading a configuration file?
Explanation: The --allow-read flag is required for enabling read access to the local filesystem in Deno. The other options, such as --permit-file, --enable-read, and --file-access, are incorrect; they may sound plausible but do not exist in Deno's permission system. Only the --allow-read flag activates file reading capability.
If a script tries to write to a local file without any permission flags, what will happen according to Deno's permission model?
Explanation: Without the appropriate write permission, Deno blocks file write attempts and displays an error. Silent file creation or ignoring the operation would undermine security, while prompting and automatically continuing is not Deno's approach by default. Explicit permission must be provided for writing.
How can you restrict Deno's --allow-read permission to only allow access to a specific folder, such as './data'?
Explanation: By specifying --allow-read=./data, you restrict read permissions to the given directory. The other choices are not valid Deno syntax; --allow-read-limited, --read-folder, and --allow-folder are not recognized flags or are formatted incorrectly. Deno supports fine-grained permissions via equals syntax.
Which flag must be explicitly granted to enable a Deno script to access operating system environment variables, like reading a password from 'process.env'?
Explanation: --allow-env is the correct and only flag for granting access to environment variables in Deno. The other options may sound plausible but are not supported by Deno's permission system. Accessing environment variables without permission is denied by default.
If your Deno script needs to execute a system command (such as starting another process), which permission must be given?
Explanation: Deno requires --allow-run to execute subprocesses. The other suggestions, like --allow-cmd, --enable-exec, and --permit-process, are not part of Deno's actual flag set and would result in errors if used. Without --allow-run, Deno will block any subprocess launches.
What does the --allow-all flag do when running a Deno script?
Explanation: --allow-all provides the script with unrestricted access to all controlled resource types such as file system, network, and environment. The other options are either incomplete or incorrect—restricting to just read/write or network would not fully allow all. Revoking permissions is the opposite of what the flag does.
Can Deno prompt the user to allow a permission at runtime if it is not provided at launch by default?
Explanation: Deno does not prompt for permissions at runtime by default; permissions must be provided using flags when the script is launched. Automatic prompts would not align with non-interactive or production environments. Options suggesting runtime prompts are not accurate for Deno's out-of-the-box behavior.
Which Deno API can a script use within its code to check whether it currently has network access permission?
Explanation: Deno.permissions.query allows you to programmatically check the status of a specific permission, such as 'net' for network. The distractors are not valid Deno APIs; allowNetStatus, checkNet, and permissionStatus do not exist in the permissions API. Only the query method serves this purpose.
Which statement best summarizes Deno's default permissions when no flags are used at script launch?
Explanation: Deno is secure by default, meaning that no sensitive permissions are granted unless specified via flags. The other options incorrectly suggest default access to certain resources, which would violate Deno's secure principles. Only explicit permissions activate resource access.