Use hashie-forbidden_attributes now that the API is Grapified

As suggested in https://gitlab.com/gitlab-org/gitlab-ce/issues/23590#note_17468199, we should prevents Mash from responding to :permitted? and therefore triggering this behavior in ForbiddenAttributesProtection, using the hashie-forbidden_attributes gem.