Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.