s3direct should validate the path of the uploading file matches the server-generated key on server side

[taylorhughes]

It is possible with s3direct to sign arbitrary s3 operations against the bucket exposed via s3direct/evaporate, because get_aws_v4_signature just signs whatever hash you give it without validating the target key. So s3direct essentially makes any file in the bucket writeable. (This library should come with a giant red warning if regular end-users can upload publicly accessible content via s3direct)

This should pass canonicalRequest to the django view so the django view can validate the to_sign contains an acceptable URL path: https://github.com/bradleyg/django-s3direct/blob/master/src/index.js#L120

Discussion in evaporate issues from 2016 where they added canonicalRequest support for this purpose: https://github.com/TTLabs/EvaporateJS/issues/219#issuecomment-261657647