Hide archive password in snapshot download output.

fnando · fnando · commit 8e8f8e2f144a · 2026-06-01T14:40:18.000-07:00
diff --git a/cmd/crates/soroban-test/tests/it/integration/snapshot.rs b/cmd/crates/soroban-test/tests/it/integration/snapshot.rs
@@ -211,6 +211,24 @@ fn snapshot_merge() {
     assert!(merged.ledger_entries.len() > snapshot_b.ledger_entries.len());
 }
 
+#[test]
+fn snapshot_create_redacts_archive_url_password() {
+    let sandbox = &TestEnv::new();
+    sandbox
+        .new_assert_cmd("snapshot")
+        .arg("create")
+        .arg("--archive-url=https://archiveuser:supersecret@archive.invalid/")
+        .arg("--ledger=1")
+        .arg("--out=snapshot.json")
+        .assert()
+        .failure()
+        .stderr(
+            predicate::str::contains("supersecret")
+                .not()
+                .and(predicate::str::contains("redacted")),
+        );
+}
+
 #[test]
 fn snapshot_merge_conflict_resolution() {
     let sandbox = &TestEnv::new();
diff --git a/cmd/soroban-cli/src/commands/snapshot/create.rs b/cmd/soroban-cli/src/commands/snapshot/create.rs
@@ -31,7 +31,10 @@ use crate::{
     tx::builder,
     utils::get_name_from_stellar_asset_contract_storage,
 };
-use crate::{config::address::UnresolvedMuxedAccount, utils::http};
+use crate::{
+    config::address::UnresolvedMuxedAccount,
+    utils::{http, url::redact_url},
+};
 
 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, ValueEnum, Default)]
 pub enum Output {
@@ -559,7 +562,10 @@ async fn get_history(
     };
     let history_url = Url::from_str(&history_url).unwrap();
 
-    print.globeln(format!("Downloading history {history_url}"));
+    print.globeln(format!(
+        "Downloading history {}",
+        redact_url(history_url.as_str())
+    ));
 
     let response = http::client()
         .get(history_url.as_str())
@@ -589,7 +595,10 @@ async fn get_history(
         .map_err(Error::ReadHistoryHttpStream)?;
 
     print.clear_previous_line();
-    print.globeln(format!("Downloaded history {}", &history_url));
+    print.globeln(format!(
+        "Downloaded history {}",
+        redact_url(history_url.as_str())
+    ));
 
     serde_json::from_slice::<History>(&body).map_err(Error::JsonDecodingHistory)
 }
@@ -608,7 +617,10 @@ async fn get_ledger_metadata_from_archive(
         "{archive_url}/ledger/{ledger_hex_0}/{ledger_hex_1}/{ledger_hex_2}/ledger-{ledger_hex}.xdr.gz"
     );
 
-    print.globeln(format!("Downloading ledger headers {ledger_url}"));
+    print.globeln(format!(
+        "Downloading ledger headers {}",
+        redact_url(&ledger_url)
+    ));
 
     let ledger_url = Url::from_str(&ledger_url).map_err(Error::ParsingBucketUrl)?;
     let response = http::client()
