Fixes #29145: Prevent NPE when query tags are null

openmetadata-service/src/main/java/org/openmetadata/service/security/mask/PIIMasker.java

@@ -302,7 +302,7 @@ public static ResultList<Query> getQueries(
   }
 
   private static boolean hasPiiSensitiveTag(Query query) {
-    return query.getTags().stream().map(TagLabel::getTagFQN).anyMatch(SENSITIVE_PII_TAG::equals);
+    return query.getTags() != null && query.getTags().stream().map(TagLabel::getTagFQN).anyMatch(SENSITIVE_PII_TAG::equals);
   }
 
   private static boolean hasPiiSensitiveTag(Column column) {

openmetadata-service/src/test/java/org/openmetadata/service/security/mask/PIIMaskerTest.java

@@ -263,6 +263,34 @@ void getQueriesAndMaskUserHideSensitiveValuesForUnauthorizedUsers() {
     assertEquals(PIIMasker.MASKED_MAIL, maskedUser.getEmail());
   }
 
+  @Test
+  void getQueriesHandlesNullTagsForUnauthorizedUsers() {
+    Authorizer authorizer = mock(Authorizer.class);
+    SecurityContext securityContext = mock(SecurityContext.class);
+
+    EntityReference owner = entityReference(Entity.USER, "owner");
+
+    Query query =
+            new Query()
+                    .withQuery("select email from customer")
+                    .withOwners(List.of(owner));
+
+    query.setTags(null);
+
+    ResultList<Query> queries =
+            new ResultList<>(new ArrayList<>(List.of(query)));
+
+    when(authorizer.authorizePII(securityContext, List.of(owner)))
+            .thenReturn(false);
+
+    ResultList<Query> result =
+            PIIMasker.getQueries(queries, authorizer, securityContext);
+
+    assertEquals(
+            "select email from customer",
+            result.getData().get(0).getQuery());
+  }
+
   @Test
   void getQueriesAndMaskUserLeaveAuthorizedValuesUntouched() {
     Authorizer authorizer = mock(Authorizer.class);