From ce3904102331bdb15b3e33d11ab220af382f34ab Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Mon, 1 Jun 2026 14:40:18 -0700
Subject: [PATCH] Hide archive password in snapshot download output.

---
 .../tests/it/integration/snapshot.rs          | 18 +++++++++++++++
 .../src/commands/snapshot/create.rs           | 23 +++++++++++++++----
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/cmd/crates/soroban-test/tests/it/integration/snapshot.rs b/cmd/crates/soroban-test/tests/it/integration/snapshot.rs
index fa6ed0ed1a..30d761b202 100644
--- a/cmd/crates/soroban-test/tests/it/integration/snapshot.rs
+++ b/cmd/crates/soroban-test/tests/it/integration/snapshot.rs
@@ -211,6 +211,24 @@ fn snapshot_merge() {
     assert!(merged.ledger_entries.len() > snapshot_b.ledger_entries.len());
 }
 
+#[test]
+fn snapshot_create_redacts_archive_url_password() {
+    let sandbox = &TestEnv::new();
+    sandbox
+        .new_assert_cmd("snapshot")
+        .arg("create")
+        .arg("--archive-url=https://archiveuser:supersecret@archive.invalid/")
+        .arg("--ledger=1")
+        .arg("--out=snapshot.json")
+        .assert()
+        .failure()
+        .stderr(
+            predicate::str::contains("supersecret")
+                .not()
+                .and(predicate::str::contains("redacted")),
+        );
+}
+
 #[test]
 fn snapshot_merge_conflict_resolution() {
     let sandbox = &TestEnv::new();
diff --git a/cmd/soroban-cli/src/commands/snapshot/create.rs b/cmd/soroban-cli/src/commands/snapshot/create.rs
index 8fa39f575b..4cc4f01cce 100644
--- a/cmd/soroban-cli/src/commands/snapshot/create.rs
+++ b/cmd/soroban-cli/src/commands/snapshot/create.rs
@@ -31,7 +31,10 @@ use crate::{
     tx::builder,
     utils::get_name_from_stellar_asset_contract_storage,
 };
-use crate::{config::address::UnresolvedMuxedAccount, utils::http};
+use crate::{
+    config::address::UnresolvedMuxedAccount,
+    utils::{http, url::redact_url},
+};
 
 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, ValueEnum, Default)]
 pub enum Output {
@@ -559,7 +562,10 @@ async fn get_history(
     };
     let history_url = Url::from_str(&history_url).unwrap();
 
-    print.globeln(format!("Downloading history {history_url}"));
+    print.globeln(format!(
+        "Downloading history {}",
+        redact_url(history_url.as_str())
+    ));
 
     let response = http::client()
         .get(history_url.as_str())
@@ -589,7 +595,10 @@ async fn get_history(
         .map_err(Error::ReadHistoryHttpStream)?;
 
     print.clear_previous_line();
-    print.globeln(format!("Downloaded history {}", &history_url));
+    print.globeln(format!(
+        "Downloaded history {}",
+        redact_url(history_url.as_str())
+    ));
 
     serde_json::from_slice::<History>(&body).map_err(Error::JsonDecodingHistory)
 }
@@ -608,9 +617,13 @@ async fn get_ledger_metadata_from_archive(
         "{archive_url}/ledger/{ledger_hex_0}/{ledger_hex_1}/{ledger_hex_2}/ledger-{ledger_hex}.xdr.gz"
     );
 
-    print.globeln(format!("Downloading ledger headers {ledger_url}"));
-
     let ledger_url = Url::from_str(&ledger_url).map_err(Error::ParsingBucketUrl)?;
+
+    print.globeln(format!(
+        "Downloading ledger headers {}",
+        redact_url(ledger_url.as_str())
+    ));
+
     let response = http::client()
         .get(ledger_url.as_str())
         .send()