GitHub Security Issue: SSRF Bypass via Unvalidated Redirects in safe_get() and SafeSession

A high-severity security vulnerability was identified in a codebase's SSRF (Server-Side Request Forgery) protection mechanisms. The functions `safe_get()` and `SafeSession.request()` were found to have a critical flaw when used with the parameter `allow_redirects=True`. While the initial request URL was properly validated against SSRF rules, any subsequent redirect targets in the HTTP response chain were not validated. This created a bypass path for attackers. An attacker could host a seemingly benign, externally-accessible URL that passes initial validation. This URL could then issue an HTTP redirect to a sensitive internal endpoint, such as cloud metadata services (e.g., `http://169.254.169.254/latest/meta-data/`) or local admin APIs (e.g., `http://localhost:5000/admin`). This could lead to the exfiltration of cloud credentials or unauthorized access to internal APIs. The vulnerability specifically affected PDF download operations in `download_service.py` (5 call sites) and `base.py` (1 call site). The fix involves intercepting the `allow_redirects` parameter, forcing it to `False` for the underlying HTTP library, and then manually following the redirect chain. Each redirect target URL is now validated against the same SSRF rules before the request is followed, and a maximum chain length of 10 hops is enforced. The fix also addresses a related bug in response size checking from a previous pull request.