helper command breaks build container with entrypoint script containing exec $(@}

Summary

The gitlab helper is trying to execute a multiline string inside our build container which causes the entrypoint script with exec ${@} to fail.

We tracked the issue to this bash statement that seems to be run before any of our job commands get executed. The command injected by the gitlab-runner will cause the re-expansion of ${@} to exec command inside entrypoint script to fail.

Steps to reproduce

  1. create an entrypoint script like so:
cat > entrypoint.sh <<EOF
#! /bin/bash -e
set -o pipefail
echo "Launch \${@}"
exec \${@}
EOF
  1. create a build image with that entrypoint
docker build --tag runner-issue:latest . -f-<<EOF
FROM alpine:3.7
ADD entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod 0755 /usr/local/bin/entrypoint.sh ; apk add bash
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD []
EOF
  1. create a variable that holds a statement similar to the gitlab-runner bash statement 
cat > bashdetectshell <<EOF
sh -c if [ -x /usr/bin/bash ]; then
  echo ya
else
  echo no
fi
EOF
  1. run a statement that resembles the gitlab-runner-helper command 
docker run --rm runner-issue:latest "$(cat <<EOF
sh -c if [ -x /usr/local/bin/bash ]; then
  echo ya
else
  echo no
fi
EOF)"

[: line 1: syntax error: unexpected end of file (expecting "then")

the error message is slightly different when this through the gitlab-runner but the concept remains the same.

I would have thought that any variation of this one would work, but naah:

docker run --rm runner-issue:latest 'sh -c if [ -x /usr/local/bin/bash ]; then echo ya; else echo no; fi'

Actual behavior

This is the actual error we get when running a build image with entrypoint script like above on gitlab-runner. The job terminates with following error message BEFORE any of our scripts are run:

[: -c: line 1: syntax error: unexpected end of file
section_end:1554859836:build_script
[0Ksection_start:1554859836:after_script
[0K Launch sh -c if [ -x /usr/local/bin/bash ]; then
      exec /usr/local/bin/bash
elif [ -x /usr/bin/bash ]; then
      exec /usr/bin/bash
elif [ -x /bin/bash ]; then
      exec /bin/bash
elif [ -x /usr/local/bin/sh ]; then
      exec /usr/local/bin/sh
elif [ -x /usr/bin/sh ]; then
      exec /usr/bin/sh
elif [ -x /bin/sh ]; then
      exec /bin/sh
elif [ -x /busybox/sh ]; then
      exec /busybox/sh
else
      echo shell not found
      exit 1
fi

Expected behavior

job is executed on the docker image with entrypoint containing exec command

Environment description

hosted gitlab 11.7

Used GitLab Runner version

gitlab-ci 11.7 also verified problem on 11.9.1