Downloads::File: fix SSRF inside is_cloudflare? (#2498).

Fixes the banned IP check not being applied when sending the HEAD
request for is_cloudflare?.

Also fixes the `#size` method not using the uncached url (which meant
the bookmarklet could report the wrong filesize on artstation uploads).

test/unit/downloads/art_station_test.rb

@@ -34,6 +34,10 @@ module Downloads
       should "return the original file, not the polished file" do
         assert_downloaded(517_706, @asset) # polished size: 502_052
       end
+
+      should "return the original filesize, not the polished filesize" do
+        assert_equal(517_706, Downloads::File.new(@asset).size)
+      end
     end
 
     context "a download for a https://$artist.artstation.com/projects/$id page" do

test/unit/downloads/file_test.rb

@@ -9,12 +9,12 @@ module Downloads
       end
 
       context "for a banned IP" do
-        should "prevent downloads" do
+        should "not try to download the file" do
           Resolv.expects(:getaddress).returns("127.0.0.1")
           assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").download! }
         end
 
-        should "prevent fetching the size" do
+        should "not try to fetch the size" do
           Resolv.expects(:getaddress).returns("127.0.0.1")
           assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").size }
         end
@@ -33,6 +33,11 @@ module Downloads
 
           assert_raise(Downloads::File::Error) { Downloads::File.new(url).download! }
         end
+
+        should "not send a HEAD request when checking for cloudflare" do
+          Resolv.expects(:getaddress).with("www.google.com").returns("127.0.0.1")
+          assert_raise(Downloads::File::Error) { @download.is_cloudflare? }
+        end
       end
 
       context "that fails" do