Clarify that -p has no effect with --recurse

2chanhaeng · 2chanhaeng · commit cff1c31da775 · 2026-04-19T12:34:49.000Z
The previous help text, inline comment, changelog entry, and CLI docs all stated that -p/--allow-private-address affects URLs discovered via --recurse, but recursive fetches hardcode `allowPrivateAddress: false` and never honor the option. Update the CLI help, the loader-split comment in `runLookup`, the 2.1.6 changelog entry, and the `-p` section of `docs/cli.md` so that they all describe the same actual behavior: the option only gates URLs discovered during --traverse, while --recurse always disallows private addresses. #696 #698 Assisted-by: Claude Code:claude-opus-4-7
diff --git a/CHANGES.md b/CHANGES.md
@@ -15,9 +15,10 @@ To be released.
     regression introduced in Fedify 2.1.0 when the CLI began forwarding
     the `allowPrivateAddress` option to the underlying document loader.
     URLs explicitly provided on the command line now always allow private
-    addresses, while URLs discovered via [`-t`/`--traverse`] or [`--recurse`]
-    still honor the option to mitigate SSRF attacks against private
-    addresses.  [[#696], [#698] by Chanhaeng Lee]
+    addresses, while URLs discovered during [`-t`/`--traverse`] honor the
+    option to mitigate SSRF attacks against private addresses.  Recursive
+    fetches via [`--recurse`] continue to always disallow private
+    addresses regardless of the option.  [[#696], [#698] by Chanhaeng Lee]
 
 [`-t`/`--traverse`]: https://fedify.dev/cli#t-traverse-traverse-the-collection
 [`--recurse`]: https://fedify.dev/cli#recurse-recurse-through-object-relationships
diff --git a/docs/cli.md b/docs/cli.md
@@ -991,10 +991,9 @@ fedify lookup http://localhost:8000/users/alice
 ~~~~
 
 The `-p`/`--allow-private-address` option additionally allows private
-addresses for URLs discovered via traversal or recursion.  It only has an
-effect when used together with
-[`-t`/`--traverse`](#t-traverse-traverse-the-collection) or
-[`--recurse`](#recurse-recurse-through-object-relationships), since URLs
+addresses for URLs discovered during traversal.  It only has an effect
+when used together with
+[`-t`/`--traverse`](#t-traverse-traverse-the-collection), since URLs
 embedded in remote responses are otherwise rejected to mitigate SSRF
 attacks against private addresses.
 
@@ -1004,7 +1003,7 @@ fedify lookup --traverse --allow-private-address http://localhost:8000/users/ali
 
 > [!NOTE]
 > Recursive fetches enabled by
-> [`--recurse`](#recurse-recurse-through-object-relationships) continue to
+> [`--recurse`](#recurse-recurse-through-object-relationships) always
 > disallow private addresses regardless of this option.
 
 ### `-s`/`--separator`: Output separator
diff --git a/packages/cli/src/lookup.ts b/packages/cli/src/lookup.ts
@@ -84,10 +84,11 @@ const suppressErrorsOption = bindConfig(
 const allowPrivateAddressOption = bindConfig(
   flag("-p", "--allow-private-address", {
     description: message`Allow private IP addresses for URLs discovered \
-via traversal or recursion. This option only has an effect \
-when used together with ${optionNames(["-t", "--traverse"])} \
-or ${optionNames(["--recurse"])}, since URLs explicitly \
-provided on the command line always allow private addresses.`,
+during traversal. This option only has an effect when used together \
+with ${optionNames(["-t", "--traverse"])}, since URLs explicitly \
+provided on the command line always allow private addresses and \
+recursive fetches via ${optionNames(["--recurse"])} always disallow \
+them.`,
   }),
   {
     context: configContext,
@@ -721,8 +722,10 @@ export async function runLookup(
   let server: TemporaryServer | undefined = undefined;
   // URLs explicitly provided by the user always allow private addresses,
   // so that local servers can be looked up without -p/--allow-private-address.
-  // URLs discovered via traversal or recursion follow the option, since they
-  // originate from remote responses and must be protected against SSRF.
+  // URLs discovered during traversal follow the option to mitigate SSRF
+  // against private addresses, while recursive fetches always disallow
+  // private addresses regardless of the option (see the --recurse branch
+  // below, which hardcodes `allowPrivateAddress: false`).
   const initialBaseDocumentLoader = await getDocumentLoader({
     userAgent: command.userAgent,
     allowPrivateAddress: true,
