Describe the bug
The aggregate_payload function in _payload/_generic.py has a missing comma between "extended_bounds" and "filters_spec" in a list literal at lines 126-127. Python silently concatenates adjacent string literals, producing "extended_boundsfilters_spec" as a single key instead of two separate keys. This means neither extended_bounds nor filters_spec kwargs work for ANY aggregate operation across the entire SDK (Alerts, Hosts, Detects, RTR, Intel, etc.).
To Reproduce
- Create any service class instance that supports aggregate operations
- Call an aggregate method passing
extended_bounds or filters_spec as kwargs:
from falconpy import Hosts
falcon = Hosts(client_id="ID", client_secret="SECRET")
result = falcon.query_devices_by_filter_scroll(
date_ranges=[{"from": "2024-01-01", "to": "2024-12-31"}],
field="hostname",
extended_bounds={"min": "2024-01-01", "max": "2024-12-31"},
filters_spec={"filters": "platform_name:'Windows'"}
)
- Neither
extended_bounds nor filters_spec appear in the request body sent to the API. The kwargs are silently ignored.
The root cause is a missing comma in src/falconpy/_payload/_generic.py lines 126-127:
# Current (broken) - implicit string concatenation
keys = ["date_ranges", "exclude", "extended_bounds"
"filters_spec", "from", "include", ...]
# This produces: [..., "extended_boundsfilters_spec", "from", ...]Expected behavior
Passing extended_bounds or filters_spec as keyword arguments should include them in the JSON body sent to the API, consistent with the documented kwargs in all aggregate operation docstrings.
Environment (please complete the following information):
- OS: All
- Python: All supported versions
- FalconPy: --
Additional context
This affects ALL service collections that use aggregate operations (Alerts, CAO Hunting, Case Management, Cloud Security, Container services, Custom IOA, Detects, Discover, Drift Indicators, Event Streams, Exposure Management, FalconX, Firewall, Hosts, Intel, IOCs, Kubernetes, MalQuery, MSSP, ODS, Recon, RTR, Spotlight, Threatgraph, Unidentified Containers, Workflows, and more).
Workaround: pass a pre-built body list to bypass the payload builder:
result = falcon.query_devices_by_filter_scroll(body=[{
"date_ranges": [{"from": "2024-01-01", "to": "2024-12-31"}],
"field": "hostname",
"extended_bounds": {"min": "2024-01-01", "max": "2024-12-31"},
"filters_spec": {"filters": "platform_name:'Windows'"}
}])Fix: add the missing comma in src/falconpy/_payload/_generic.py line 126:
# Before
keys = ["date_ranges", "exclude", "extended_bounds"
"filters_spec", "from", "include", ...]
# After
keys = ["date_ranges", "exclude", "extended_bounds",
"filters_spec", "from", "include", ...]
Describe the bug
The
aggregate_payloadfunction in_payload/_generic.pyhas a missing comma between"extended_bounds"and"filters_spec"in a list literal at lines 126-127. Python silently concatenates adjacent string literals, producing"extended_boundsfilters_spec"as a single key instead of two separate keys. This means neitherextended_boundsnorfilters_speckwargs work for ANY aggregate operation across the entire SDK (Alerts, Hosts, Detects, RTR, Intel, etc.).To Reproduce
extended_boundsorfilters_specas kwargs:extended_boundsnorfilters_specappear in the request body sent to the API. The kwargs are silently ignored.The root cause is a missing comma in
src/falconpy/_payload/_generic.pylines 126-127:Expected behavior
Passing
extended_boundsorfilters_specas keyword arguments should include them in the JSON body sent to the API, consistent with the documented kwargs in all aggregate operation docstrings.Environment (please complete the following information):
Additional context
This affects ALL service collections that use aggregate operations (Alerts, CAO Hunting, Case Management, Cloud Security, Container services, Custom IOA, Detects, Discover, Drift Indicators, Event Streams, Exposure Management, FalconX, Firewall, Hosts, Intel, IOCs, Kubernetes, MalQuery, MSSP, ODS, Recon, RTR, Spotlight, Threatgraph, Unidentified Containers, Workflows, and more).
Workaround: pass a pre-built body list to bypass the payload builder:
Fix: add the missing comma in
src/falconpy/_payload/_generic.pyline 126: